A total of 127,268 individuals were affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks Brothers members, and 14 current and former employees of ImagineX, etc. The personal data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees etc. The incident: ImagineX received a ransom note from a threat actor on 15 May 2024.
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r25_09623_e.pdf
Deficiencies contributed to the Incident:
1. Failure to delete temporary account timely after system troubleshooting
2. Use of end-of-support operating system
3. Ineffective detective measures for information systems
4. Insufficient security risk reviews and audits for information systems