Consumer Council's security weaknesses blamed for leak

The Consumer Council failed to enable multifactor authentication for remote access to data, leading to an information leak involving more than 450 people last September, the privacy watchdog has found.

After the council reported a ransomware attack on its servers and endpoint devices, the Office of the Privacy Commissioner and Personal Data launched an investigation.

Privacy commissioner Ada Chung Lai-ling said the consumer watchdog failed to properly configure the cybersecurity solutions adopted to detect and block cybersecurity threats and lacked sufficient protection to prohibit personal data being stored on testing servers.

She reminded organizations to verify the identity of remote users as work-from-home initiatives have become common.

Chung said the incident arose after the council started allowing staff members to connect to its server with a virtual private network when it introduced work-from-home arrangements in November 2020 during the pandemic.

However, it did not adopt multifactor authentication for remote access.

Hacker group ALPHV obtained the credentials of a user account with the council's administrative privileges and accessed its network through a VPN on September 4 last year.

Between September 19 and 20, the group deployed ransomware in the servers and endpoints resulting in malicious encryption of 93 systems.

The leaked data included names, phone numbers, e-mail addresses or residential addresses of 477 complainants, IT personnel and staff members.

But the council failed to explain why the user account was obtained by hackers, citing the staff in charge of the network security had quit. Additionally, the council did not notice the breach as the cybersecurity solution was not properly configured to send an e-mail alert.

"Even though it detected the attack, it did not send any e-mail alert to the council for this particular incident, and that was why the council only discovered the cyberattack on September 20," Chung said.

Chung served an enforcement notice on the council with directions to remedy the contravention, including establishing a robust cybersecurity framework, conducting regular risk assessments and system security audits, and strengthening training.

The council should submit documents by June 29 certifying the fulfillment of the directions or it would be held criminally liable.

The council said it has undertaken measures to strengthen security, including restoring its IT systems and commissioning forensic experts to investigate the incident.

stacy.shi@singtaonewscorp.com