Read More
The Hong Kong branch of international charity Oxfam failed to implement adequate measures to protect its information systems, leading to the leak of personal information belonging to 550,000 individuals last July, according to an investigation by the Office of the Privacy Commissioner for Personal Data (PCPD).
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
On July 13, Oxfam reported the data breach to the PCPD, revealing that it had fallen victim to a ransomware attack that compromised its information systems.
The investigation found that the breach involved unauthorized access to 37 servers and 24 computers, resulting in the loss of 330 gigabytes of sensitive data.
The leaked information included names, HKID numbers (and copies), passport numbers (and copies), dates of birth, telephone numbers, email addresses, addresses, credit card numbers, and bank account details of donors, event participants, volunteers, project partners, current and former employees, and job seekers.
Privacy Commissioner Ada Chung Lai-ling said that the primary causes of the breach were serious vulnerabilities due to outdated firewalls, a lack of multi-factor authentication, and the failure to apply critical security patches to servers.
“It is regrettable that a large-scale organization, which holds a significant amount of data, has failed to take effective measures to safeguard the security of its information system and to timely delete personal information that has exceeded the retention period,” Chung said.
In response to the findings, the PCPD has issued an enforcement notice to Oxfam, mandating the charity to address these security irregularities and implement measures to prevent similar incidents in the future.
(Stacy Shi)
