The Privacy Commissioner’s investigative reports are spilled milk stories that serve as salutary reminders to the mortals among us that out there, but for the grace of God, let’s go. This was again highlighted in the investigative report released by the Office of the Privacy Commissioner in Hong Kong on February 17, 2022 into a hacker’s intrusion into Nikkei’s email system. China (Hong Kong) Limited. Padraig Walsh of our Data Privacy Practice Group shares a few points we all need to remember.
A hacker has obtained the password for an email account created by Nikkei China to communicate with customers. The hacker then set up a forwarding function for this email account and five other email accounts sharing the same password, automatically forwarding all incoming emails to two unknown email addresses apparently belonging to the hacker. Between October 2020 and February 2021, the hacker managed to forward emails sent to Nikkei China by 1,644 customers – 650 in Hong Kong, 994 overseas. The personal data disclosed by the emails included customer names, email addresses, company names, job titles, phone numbers and credit card details.
Nikkei China had an Information Management Regulation that established a framework for the overall security management of information held by the company. All staff members were verbally instructed to carefully review the contents of this policy, which was kept in a shared folder accessible to all staff members. There was also a set of security management measures that applied to all group companies, which included a password policy.
The alarm was raised on March 1, 2021, when a Nikkei China staff member received a failed delivery error regarding an email to an unknown and suspicious email address. An internal investigation identified that an unauthorized external account controlled six Nikkei China email accounts, and the controller surreptitiously forwarded approximately 16,860 emails over a five-month period.
Nikkei China notified the Privacy Commissioner of the data breach on March 17, 2021 and made a public announcement the same day.
Common Features and Flaws
The investigation report highlights some common characteristics and failings of data breach incidents.
The intrusion lasted at least four months before being discovered. This may seem long, but it is a feature of many hacking incidents. Once there is an intruder within the walls of a computer system, it may be possible to go undetected for some time. It takes a possible strange occurrence to trigger an action. In the case of Nikkei China, it was a delivery failure message on an email and an alerted employee who escalated the report for further investigation.
At the time of the incident, 41 email accounts had been created, 24 of which belonged to former staff members and were no longer in use. There was no system in place to remove and close redundant email accounts of people who no longer worked with Nikkei China.
It’s a surprisingly common problem. Email account activity of departed employees is less likely to be detected. These accounts are often used by hackers to attempt phishing activities or to receive undetected emails from vendors or customers unwittingly seeking to communicate with a deceased employee.
The hacked email accounts all used the same password. This was the default password set by the email service provider when creating the accounts. The wording of the password consisted of a short series of numbers – neither long nor complex. Nikkei China has not required its staff to change the default password, nor to periodically change passwords for its email accounts. Weak passwords are more susceptible to brute force or phishing attacks and represent a hardware security vulnerability.
The webmail service used by Nikkei China did not support multi-factor authentication. This is now standard practice to ensure that people using such a service are identified by various means. However, many old or legacy services do not implement multi-factor authentication. This type of problem would be detected during inspections or reviews of computer systems by third parties, but Nikkei China has not carried out routine inspections of the configuration of the messaging system.
All businesses now see security incidents and data breaches as a key risk factor they must address. A data breach could be seen as a matter of when, not if. An interesting corporate culture barometer is to gauge the data user’s business response when a data breach occurs. Nikkei China reacted well.
Nikkei China changed the passwords of the affected accounts and disabled the forwarding function on March 1, 2021, the same day the incident was discovered. The next day, all email account passwords were changed.
The data breach was notified to the Privacy Commissioner on March 17, 2021. This is reasonably timely, given that Hong Kong is a jurisdiction where there is no data breach notification requirement. Nikkei Inc. (parent company of Nikkei China) announced the data breach on its website the same day, and Nikkei China also emailed affected customers and notified affected credit card issuers.
Nikkei China migrated the email system to a cloud-based email provider, which offered strong password security and multi-factor authentication. Other technical improvements were made to information security systems.
Nikkei China updated its Information Management Policy and required a signed attestation from its employees that they had read and understood its provisions. Importantly, Nikkei China also hired external professionals to conduct information security training sessions and committed to undergo training on an annual basis.
The privacy commissioner unsurprisingly found that Nikkei China had failed to take all practical security measures to protect personal data held by it. This is a requirement of the data protection principles of the Personal Data (Privacy) Ordinance. This was based on findings of the following shortcomings:
- weak password management
- retention of obsolete email accounts;
- lack of security controls for remote access to messaging systems; and
- inadequate security controls over its information systems.
The Privacy Commissioner issued an enforcement notice for certain prescribed actions to be taken – which, according to the investigation report, Nikkei China was already dealing with.
The terms of an enforcement notice inevitably focus on concrete corrective actions to be taken to correct a data breach. The recommendations, however, are a good indication of the policy measures the privacy commissioner hopes companies will take. Here are some of the recommendations offered by the Privacy Commissioner in the investigation report:
- establish a privacy management program;
- appoint a data protection officer;
- adopt a policy on email communications; and
- inculcate a culture of privacy in the workplace.
This survey report highlights features and flaws that may well resonate with many midsize businesses. Do you have a password management policy in place? Do you have a system and process for deleting all obsolete accounts of deceased employees? Do you have multi-factor authentication in place for remote access to your systems? These failures resulted in a data breach for Nikkei China. However, some of us may also need to consider these points.
We live in a time when, when it comes to information security, good is often not good enough. Security should be a constant priority of senior management, with resources committed to ensuring that systems are robust, resilient and frequently reviewed, and that people are properly trained to be aware of risks and best practices that can mitigate them.