(1) Data Breach Incidents of The Council of the Hong Kong Laureate Forum Limited - submitted to the PCPD on 27 September 2023, reporting that its computer systems and file servers had been attacked by ransomware (the Incident).
The Incident affected the personal data of 8,122 individuals, which included approximately 7,200 e-newsletter subscriberss. The personal data affected included names, addresses, email addresses, telephone numbers, passport information, full/partial passport/HKID Card) no, bank account/credit card info, dates of birth, nationalities/places of birth, CVs/transcripts, affiliated organisations and/or academic backgrounds.
The following deficiencies of the Council were the contributing factors:-
Deficiencies in information system management;
Lax monitoring of the data security measures adopted by the service vendor;
Lack of policies and guidelines on information security; and
Lack of appropriate data backup solutions
(2) The Ransomware Attack on the Servers of HKB
The investigation submitted to the PCPD on 16 October 2023, reporting that HKB suffered from a ransomware attack on 29 Sep 2023, which affected four physical servers of the information systems of HKB. On 17 Sep 2023, the hacker deployed (via domain admin) “LockBit” ransomware on HKB’s information systems, which resulted in the encryption of files and exfiltration of data and files stored therein.
The following deficiencies were the contributing factors:-
1. Outdated operating software of the Server;
2. Unnecessary exposure of the Server to the Internet during system migration performed by the service vendor;
3. Lack of monitoring of the data security measures adopted by the service vendor; and
4. Absence of security assessments and security audits of the information systems,
Additional info - https://www.thestandard.com.hk/breaking-news/section/4/219202/Hong-Kong-Laureate-Forum-and-HK-Ballet-criticised-over-privacy-breach