Read More
The cyber attack on the Consumer Council which caused the leakage of personal data of over 450 people was caused by several deficiencies, including the failure to enable a multi-factor authentication for remote access to data, according to Hong Kong’s privacy watchdog.
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
Other deficiencies included a lack of software that can effectively detect and intercept ransomware; a lack of security protocols to prohibit saving personal data in test servers, a lack of specificity in the information security policy, and insufficient awareness of personal data protection and cyber security.
This came as the Office of the the Privacy Commissioner for Personal Data released the investigation report on the cyber attack that targeted the Consumer Council on September 23 last year.
Privacy Commissioner Ada Chung Lai-ling especially noted that although the consumer watchdog had provided relevant cyber security training to staff, the investigation revealed that a former IT staffer didn’t create a complex password when setting up the information systems.
Therefore, relevant IT policies were not implemented thoroughly at the time of the cyber attack.
The investigation also revealed that the personal data had been stored in test servers due to manual errors.
Chung’s office gave numerous suggestions to the council, such as enabling a multi-factor authentication for remote access to data, establishing a robust cyber security framework, conducting a risk assessment and security audit regularly, and establishing a corporate culture that values information security.
The council said it attaches great importance to the PCPD’s findings and has conducted a range of rectification measures immediately after the incident.
The measures included enabling a multi-factor authentication for remote data access via VPN, conducting a comprehensive review of the cyber security solutions’ functions and appropriate settings, and further strengthening internal training to enhance staff’s awareness and behavior on cyber security.
“The council is also improving its IT policies and guidelines and engaging managed detection and response services provider to enhance its ability to defend against cyber threats,” it said.
The council pointed out that mainly 289 complainants were affected, involving their names and primary contact details such as telephone number, email address or address. No credit card, bank account and financial information was involved.
The affected data also included 138 current and 24 former staff members’ names, their divisions and office numbers contained in the staff directory list, a staff member’s contact information contained in a draft tender document and 26 vendor personnel contact information.
+1
