Charity Oxfam hacked

Stacy Shi

The personal information of nearly 470,000 patrons of Oxfam - including their payment details - could have been compromised as the city's privacy watchdog received a notification from the charity of a cyber attack last month.

The Office for the Privacy Commissioner for Personal Data said yesterday it was notified by Oxfam on July 13 that hackers might have accessed the personal data of some 470,000 people, including those taking part in its Trailwalker event that will be held from November 15 to 17.

The leak might involve participants and donors' names, addresses, phone numbers, ID card numbers and payment records.

The watchdog said it has launched a probe in accordance with established procedures.

Oxfam in response to the incident, said it will review and enhance its cybersecurity measures and has engaged independent experts to conduct examinations and assessments of the affected systems with a view to investigating whether the incident involved data leakage.

"So far, the cybersecurity experts have not been able to ascertain whether the incident involves personal data leakage," Oxfam said.

As a precautionary measure, Oxfam said it has issued a notice to relevant parties and advised them to consider adopting data security measures.

"We attach great importance to the security of personal data of donors and partners, and have reviewed and strengthened the security measures of our computer systems as recommended by cybersecurity experts," it added.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation and an associate member of Oxfam, said the number of people affected is "one too many, which is certainly undesirable."

He said many organizations adopted work-from-home mode during the pandemic, allowing staff to use company networking systems at home.

"However, the insufficient security provided by firewalls and virtual private networks could generate potential vulnerability that could be exploited by hackers," Fong explained.

"Furthermore, if a staff member opens phishing e-mails, Trojans or other ransomware might be installed, which would allow hackers to gain direct access to the internal network."

He urged all companies and organizations to incorporate cybersecurity maintenance fees as recurring costs and regularly update their security systems.

Separately, information provided by ImagineX revealed that about 127,000 members and employees were affected by a data leak of its luxury fashion brand Brooks Brothers on May 16, the privacy watchdog said.

Personal information - names, e-mail addresses, phone numbers and passport details, including photographs of some 100,000 ImagineX Icard members and 27,000 Brooks Brothers members - were compromised.

"The group has notified all affected parties," the privacy watchdog said, adding it has started an investigation into the incident.

stacy.shi@singtaonewscorp.com