Hong Kong technology park Cyperport’s infrequent security audits and unnecessary retention of personal data were among the deficiencies that allowed its servers to be attacked by malicious ransomware last August, the city’s privacy watchdog has found.
Around 40 per cent of the 13,632 individuals whose personal information was leaked from the government-owned tech hub were unsuccessful job applicants and ex-employees, the Office of the Privacy Commissioner for Personal Data (PCPD) said in a report released on Tuesday.
According to the PCPD’s findings, a hacker accessed Cyberport’s network on August 6, 2023, and maliciously encrypted files on the server days later. A ransom note was received by the tech park on August 17 and the data breach was reported to the privacy watchdog a day after.
The data leak was not made public until September 6, around three weeks after Cyberport notified the PCPD.
The personal data that was shared to the dark web included names, identity card numbers, bank account numbers, medical reports, photographs and social media account information.
‘Clear oversight’
Privacy Commissioner for Personal Data Ada Chung wrote in the report that Cyberport lacked effective detection measures in its information systems and did not enable multi-factor authentication, which allowed the hacker to access its network remotely.
The reliance on a single anti-malware detection programme was “clearly inadequate and disproportionate” for the tech hub, which manages large-scale information systems, she wrote. Employees of Cyberport also did not have a concrete cybersecurity framework to follow, the probe found.
“The lack of a requirement to conduct a pre-implementation risk assessment or independent security audit on one of its affected systems, before its implementation, was a clear oversight,” the 22-page report read.
‘Unnecessary retention’
The PCPD’s investigation also revealed that Cyberport had kept the personal information of unsuccessful job applicants beyond the one-year period stated in its data retention policy. The tech park also retained personal data of former employees after they had left the company.
The number of individuals affected by last August’s data breach would have been significantly reduced if Cyberport had deleted the data after the retention periods expired, the privacy watchdog remarked.
“Cyberport also did not provide justification for retaining the personal data concerned, resulting in the unnecessary retention of the personal data,” the report read.
The PCPD called on Cyberport to establish a personal data privacy management programme and appoint data protection officers to oversee the company’s compliance with the Personal Data (Privacy) Ordinance. Designated personnel should also be appointed to review the implementation of data retention policies.
Risk assessments and security audits must be conducted in a timely manner, especially before launching any new system or applications, the watchdog said.
In a statement released on Tuesday, Cyberport said it took the incident “very seriously” and had established a task force to follow up on the enhancement of its defences against hacker attacks. The company had also fortified its network protection barriers and hired third-party service providers to review its network security, it said.
“Cyberport will continue to enhance cybersecurity measures, strengthening its ability to counter cybersecurity threats, and ensuring that its operations comply with the Personal Data (Privacy) Ordinance,” Director of Cyberport Victor Ng, who also chairs the task force, said.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
