Sports club data hack affecting 72,000 'could have been avoided'

Adelyn Lau

Hong Kong's privacy watchdog has criticized the South China Athletic Association for its inadequate awareness of the need to protect personal data following ransomware attacks in March that affected more than 72,000 members.

The leak included members' names, Hong Kong identity card numbers, passport numbers, photos, dates of birth, addresses, e-mail addresses and telephone numbers, as well as names and telephone numbers of emergency contacts, the Office of the Privacy Commissioner for Personal Data said yesterday.

Privacy Commissioner Ada Chung Lai-ling said the incident could have been avoided.

"As a long-established sports organization holding a significant amount of personal data, it was disappointing that the SCAA failed to implement effective information system security measures to safeguard members' data prior to the incident," she said.

The incident affected 72,315 members, she said, adding that the attacks were from ransomware believed to be a variant of Trigona.

Five rounds of inquiries came after SCAA submitted a data breach notification to the privacy commissioner on March 18, reporting that its servers were attacked by ransomware and data maliciously encrypted.

It was found that a hacker initiated the attack by installing malware on one of the association's servers connected to the internet in January 2022.

The hacker lurked for two years, infiltrating the association's network. Other malicious activities performed were setting up an administrator account in the server and disabling anti-virus and anti-malware software after installing a remote-control software.

In March, over 43,400 login attempts were made by the hacker, where more than 20,000 attempts were recorded within four hours "as the SCAA had not enabled the intruder lockout function for failed login attempts," said Chung.

Eventually, files containing the data were encrypted by the ransomware prompting the SCAA to report. The report said it had notified all affected members and implemented enhanced measures afterward.

In total eight servers, one data storage device and 18 computers were affected.

Chung said: "The SCAA's awareness of the need to protect the personal data of its members was weak.

"If it had adopted appropriate and adequate organizational and technical security measures before the incident, the incident could likely have been avoided."

The SCAA contravened the Personal Data (Privacy) Ordinance amid failure to take all steps to ensure the data involved was protected against unauthorized or accidental access, processing, erasure, loss or use, Chung said.

The watchdog had issued an enforcement notice to the SCAA, directing it to take measures to remedy the contravention and prevent recurrence, and required it to submit proof of improvement measures within two months.

adelyn.lau@singtaonewscorp.com