Latest News

Japan Airlines (JAL) got attack, which began at 7:24 AM local time , targeted the airline’s internal and external network equipment, leading to system malfunctions that have impacted communication and operational processes.

JAL is the nation’s second-largest airline, reported a significant cyberattack on its systems early Thursday morning, causing disruptions to both domestic and international flight operations.

In 2022, a similar attack disrupted operations at a Toyota supplier, halting production at domestic plants for an entire day. More recently, in June 2024, the video-sharing platform Niconico suspended its services due to a large-scale cyberattack.

PCPD has served enforcement notices on JobsDB and 3 recruiting organisations, directing them to take measures to remedy the contraventions and prevent recurrence and issued an advisory letter to each of the remaining five organisations.

PCPD call upon other operators of online recruitment platforms to:

• Beware of anyone using Blind Ads to perpetrate frauds or collect personal data by unfair means; and

• Carefully review recruitment advertisements received to identify Blind Ads and avoid publishing the same in order to protect the personal data privacy of members of the public.

The PCPD reiterated that Blind Ads may be used as an unscrupulous means to collect personal data and may be misused by swindlers to collect personal data for fraudulent activities. When job seekers are unable to ascertain the employers’ identities, they should check and verify the information contained in the Blind Ads carefully and should not respond to the Blind Ads arbitrarily and submit their personal data.

PCPD has uncovered a significant data breach involving EMSD, affecting over 17,000 individuals who were subject to 14 compulsory testing during the pandemic from March to July 2022,  including names, addresses, identity card numbers, and phone numbers. 

This incident highlights four major deficiencies in the EMSD’s handling of personal data.

1. Lack of written policies on the retention of personal data collected in the RTD operations.

2. Failure to make unequivocal request to the contractor for deletion of the relevant data.

3. Failure to take the initiative to delete the personal data involved.

4. Failure to properly follow up with the contractor on the deletion of data.

Investigation report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_06502_e.pdf

Notorious ransomware group Brain Cipher has claimed to have breached Deloitte UK, allegedly exfiltrating over 1 terabyte of sensitive data from the professional services giant.

Brain Cipher is a ransomware group that emerged in June 2024, quickly gaining notoriety for its cyberattacks on organizations worldwide. Notably, it was responsible for a significant attack on Indonesia’s National Data Center, which disrupted services for over 200 government agencies, including immigration and passport control.

According to statements posted by Brain Cipher, the attack has exposed critical vulnerabilities in Deloitte UK’s cybersecurity infrastructure.

The PCPD and HKPC jointly released the results of the “HK Enterprise Cyber Security Readiness Index and AI Security” survey on 21 November. The “HK Enterprise Cyber Security Readiness Index” has increased by 5.8 points to 52.8 points (maximum being 100 points) compared with last year. The index comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”.

Full survey: https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/AISecuritySurvey2024.pdf

HKPC’s “Phishing Defence Services”: https://www.hkpc.org/en/our-services/digital-transformation/cyber-security/phishing-defence-services

Finastra, a global leader in financial technology that serves 45 of the world’s top 50 banks, has confirmed a major data breach impacting its internal file transfer system SFTP. The London-based firm, which facilitates vital banking and wire transfers for over 8,100 financial institutions worldwide, detected the breach on Nov. 7. 

The breach targeted Finastra’s internally hosted Secure File Transfer Platform, or SFTP, which was exploited using stolen credentials—essentially, a username and password.

Facebook's ongoing privacy struggles, a German court has ruled that users affected by the massive 2019 data breach can seek compensation without proving specific damage, as reported by Bloomberg. This ruling represents a meaningful shift in how tech companies may be held accountable for data protection failures.

The 2019 breach exposed the personal information of 533 million Facebook users across 157 countries through a technique known as "scraping." The scope of exposed information was extensive, including full names, phone numbers, locations, birth dates, email addresses and biographical information.

2019 - https://www.forbes.com/sites/ajdellinger/2021/04/03/personal-date-of-533-million-facebook-users-leaks-online/

Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum. The threat actor Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more.

Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider. 

Nam3L3ss has also leaked the data from twenty-five other companies. However, they say some of the data was obtained from other sources, including ransom gangs' leak sites and exposed AWS and Azure buckers.

Widex Hong Kong Hearing and Speech Centre and subsidiary Starry Hearing and Speech Centre say they were among outlets suffered a ransomware attack on July 5 that had encrypted their internal system data and impacted their applications.

The Office of the Privacy Commissioner for Personal Data estimated on Nov 4 that about 148,000 customers and 30-50 current and former employees had been affected.

Widex is a Denmark-based company that was founded in 1956 and specialises in hearing aids and related services. Its Hong Kong branch was established in 1986 and is one of the first private institutions to offer hearing and speech therapy services in the city. 

It marked HACLA’s second major cybersecurity breach in just two years, spotlighting significant challenges in securing critical public sector data. The Cactus ransomware gang has reportedly exfiltrated nearly 900GB of sensitive data from the organization; including:

• Personal identification information

• Database backups

• Financial documents

• Executive and employee records

• Customer information

• Internal corporate communications

HACLA, responsible for managing over 32,000 public housing units and overseeing a budget of $1 billion annually.

Look forward to your active participation!!

Landmark Admin, a company that provides administrative services to several major U.S. insurance carriers, has recently announced that a cyberattack in May 2024 exposed the personal information of over 800,000 individuals. The compromised information includes highly sensitive details such as names, Social Security numbers, driver's license numbers, passport numbers, tax IDs, bank details, medical information, health insurance policy numbers, and even life and annuity policy details.

Federal legislators confirm February's UnitedHealth's statement back in April that the data breach exposed data of a third of all Americans. 

After completing its investigation into February's data breach, the US Department of Health and Human Services said this week that roughly a third of all Americans' health data was exposed in the attack. In February, the ransomware hacking group ALPHV, also known as "BlackCat," launched a cyberattack on UnitedHealth subsidiary Change Healthcare. 

Change Healthcare is one of the largest health payment processing companies in the world and works with leading insurance companies like Aetna, Anthem, Blue Cross Blue Shield, and Cigna.

Continuation to Feb 26 news posted on DPO website 

https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/

On 3 October 2024, PCPD expressed concern regarding LinkedIn’s default opt-in setting for using Hong Kong users’ personal data and content on the platform to train its generative AI models for content creation, and wrote to LinkedIn to enquire into the matter. 

The PCPD received a response from LinkedIn on Oct 13 confirming that it has paused any use of Hong Kong users’ personal data for such purposes as of 11 October 2024 while the PCPD’s concerns are being addressed.

Hong Kong government to hold first joint cybersecurity drill among departments, organisations. Hong Kong recorded 34,112 technology related crime cases last year, up nearly 50 per cent from 2022, while financial losses spiked by 71 per cent to HK$5.49 billion (US$706.5 million), according to figures submitted to the panel. Among them, “unauthorised access to online service accounts” saw the biggest jump, from 168 in 2022 to 3,434 in 2023.

Referring to the drills, Data Policy Office deputy commissioner Daniel Cheung Yee-wai said teams would have to build defences against simulated attacks. Digital policy commissioner Wong said the government was in initial talks with industry players to offer more cost-effective cybersecurity services that public organisations could afford. Wong urged residents to avoid clicking on unknown links and to refrain from accessing sensitive information, such as bank account details, when their devices were connected to free public networks.

The Internet Archive (www.archive.org) founder Brewster Kahle confirmed the breach and said the website had been defaced with the notification via a JavaScript library.

HIBP refers to Have I Been Pwned, a website where people can look up whether their information has been published in data leaked from cyberattacks. HIBP operator Troy Hunt confirmed to BleepingComputer that he received a file containing “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data” for 31 million unique email addresses nine days ago and confirmed it was valid by matching data with a user’s account.

American Water, the US largest regulated water utility company, has fessed up to a cybersecurity incident and detected the breach on October 3. They shut down its customer portal "MyWater" and prompted a temporary suspension of billing services. A law enforcement investigation is underway.

It's the New Jersey company, which serves over 14 million people in 24 states and 18 military installations. They said the hack did not negatively affect its water or wastewater facilities or operations and insists its water is safe to drink. 

The PCPD is concerned about whether LinkedIn’s default opt-in setting for using users’ personal data to train generative AI models correctly reflects users’ choices. The PCPD has therefore written to LinkedIn to enquire into the matter.

LinkedIn users should beware of the updates in LinkedIn’s privacy policy and understand the relevant policy in order to decide if they agree to allow LinkedIn to use their personal data for training AI models. 

If users of LinkedIn are unwilling to authorise LinkedIn to use their personal data for training generative AI models, they can revoke the permission by following the steps (https://www.linkedin.com/mypreferences/d/categories/privacy).

In order to protect the job applicants’ personal data and project positive corporate image, the PCPD appeals to employers to:

• Increase transparency in placing recruitment advertisements and disclose the identities of the organisations;

• Refrain from placing Blind Ads to collect job applicants’ personal data; and

• If necessary, consider engaging a recruitment agency who is identified in the advertisement to collect the personal data from job applicants.

Online Doxxing Messages Dropped by 90% on Third Anniversary of Anti-Doxxing Law

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.

NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.

NIST also is now recommending password resets in the case of a credential breach only.