On February 17, 2022, the Personal Data Protection Commissioner (“PCPD”) issued an investigation report (“investigation report“) regarding a cyber incident, in particular a malicious intrusion into Nikkei China (Hong Kong) Ltd’s messaging system (“Company”) by hackers. In the investigation report, the PCPD presents its investigation findings regarding this cybersecurity incident, its recommendations to organizations on cybersecurity and personal data protection, and details of the issuance of an enforcement notice to against the company for its breach of Data Protection Principle 4(1) Personal Data (Privacy Ordinance) (Cap. 486) (“PDPO”).
On March 17, 2021, the company reported to the PCPD that 6 email accounts of its staff had been hacked and emails had been forwarded to various unknown email addresses. As a result, the personal details of over 1,600 customers, including customer names, email addresses, company names, job titles, phone numbers and credit card details were leaked. (“Incident”).
Upon receipt of the company’s data breach notification, the PCPD conducted an investigation and compliance check against the company and found that the security of the company’s email system was susceptible to unauthorized intrusion. In particular, the PCPD noted the following weaknesses in the Company’s messaging system:
1. Inadequate password management: All 6 hacked email accounts had the same password, which was the default password set by the email service provider when the email accounts were created. Also, the default password consisted of short numbers, which was an inherently weak password.
2. Failure to manage outdated email accounts: One of the hacked email accounts belonged to a retired staff member of the company who was no longer used. The company had failed to review and manage dormant or inactive email accounts.
3. Lack of security controls for remote access to the email system: The company did not use the security monitoring and alerting feature, which would notify system administrators of suspicious connections.
4. Inadequate Information System Security Controls: The Company does not have policies, procedures and controls in place to manage sensitive personal data.
Overall, the PCPD found that the company had not taken all practical steps to ensure that its customers’ personal data was protected from unauthorized or accidental access, processing or use.
Breach of data protection principles
Because the Company controlled the collection, holding, processing and use of its customers’ personal data that was disclosed in the Incident, the Company falls under the definition of data user under the PDPO.
It follows that the Company is required to comply with the requirements of the PDPO, including the 6 data protection principles. In particular, under Data Protection Principle 4(1), a data user is required to take all practicable steps to ensure that personal data held by him or her is protected against access, processing, unauthorized or accidental deletion, loss or use, including incident of hacking. .
In light of the investigation findings set out above, the PCPD concluded that the company breached Data Protection Principle 4(1) of the PDPO for failing to take all practicable steps to ensure data protection personal data of its customers against unauthorized or accidental access. , processing or use.
In light of the company’s breach, the PCPD issued an enforcement notice to the company, directing it to take corrective and preventive measures to improve its messaging system to prevent the recurrence of similar breaches:
1. Improve the information security policy and implement a strong password management policy.
2. Develop a mechanism for the regular deletion of expired or obsolete email accounts and regularly monitor and audit (including internal audit) the use of email accounts.
3. Design effective measures to ensure staff compliance with the revised information security policy.
4. Engage an independent data security expert to conduct regular reviews and audits of the security of its information system, including the messaging system.
5. Develop up-to-date information security training and education for staff members, with appropriate records of training processes and participation and effectiveness metrics.
6. Provide proof within 2 months of the date of the Notice of Performance, attesting to the fulfillment of points (1) to (5) above.
PCPD Recommendations for Organizations
The PCPD recommends that organizations better protect their customers’ personal data by doing the following:
1. Establish a data privacy management program: maintain an appropriate system to manage personal data from collection to disposal and ensure the ability to respond quickly to data breaches.
2. Implement a policy on email communications: Design a protocol that defines the types of personal data that employees are allowed to send via email.
3. Adopt security measures: Prevent unauthorized interception of personal data, such as data encryption.
4. Train employees on data privacy: Employees should be properly and adequately trained in data protection procedures.
The investigation report serves as a useful reminder to organizations in Hong Kong of their legal obligation to protect the personal data collected. Organizations should remain vigilant against cyberattacks, design effective cybersecurity measures, and update cybersecurity policies regularly. In particular, organizations should implement an effective password management policy, disable unused outdated email accounts, and provide adequate information security training to employees on a regular basis.