Enroll Now! Your Folder (0)
Enroll Now! Your Folder (0)
general.header.copyright
Filter
Back

Lessons learned from the PCPD privacy investigation report on an email system hack incident

2022-05-30

Introduction

On 17 February 2022, the Privacy Commissioner for Personal Data (“PCPD”) issued an investigation report (“Investigation Report”) regarding a cyber-incident, specifically, a malicious intrusion into the email system of Nikkei China (Hong Kong) Ltd (“Company”) by hackers. In the Investigation Report, the PCPD sets out its investigation findings regarding this cybersecurity incident, its recommendations to organisations about cybersecurity and protection of personal data, and details of issuance of enforcement notice on the Company regarding its violation of Data Protection Principle 4(1) of the Personal Data (Privacy Ordinance) (Cap. 486) (“PDPO”).

The investigation

On 17 March 2021, the Company reported to the PCPD that 6 of its staff email accounts had been hacked and emails were forwarded to various unknown email addresses. As a result, personal data of more than 1,600 customers, including customers’ names, email addresses, company names, job titles, telephone numbers and credit card data were leaked (“Incident”).

Upon receipt of the data breach notification from the Company, the PCPD conducted an investigation and compliance check against the Company and found that the Company’s email system security was susceptible to unauthorised intrusion. In particular, the PCPD pinpointed the following weaknesses in the Company’s email system:

1.       Inadequate password management: The 6 email accounts that were hacked had the same password, which was the default password set by the email service provider at the time of creation of the email accounts. Moreover, the default password consisted of short numerals which was an inherently weak password.

 

2.       Failure to manage obsolete email accounts: One of the hacked email accounts belonged to a retired staff member of the Company which was no longer in use. The Company had failed to review and manage inactive or dormant email accounts.

 

3.       Lack of security controls for remote access to the email system: The Company did not make use of the security monitoring and alerting function, which would warn system administrators of suspicious logins.

4.       Inadequate security controls on the information system: The Company did not put in place policies, procedures and controls to manage sensitive personal data.

 

All in all, the PCPD found that the Company had failed to take all practicable steps to ensure its customers’ personal data was protected against unauthorised or accidental access, processing or use.

Breach of the Data Protection Principles

Since the Company controlled the collection, holding, processing and use of the personal data of its customers which were leaked in the Incident, the Company falls within the definition of data user under the PDPO.

It follows that the Company is under an obligation to comply with the requirements of the PDPO, including the 6 Data Protection Principles. In particular, under Data Protection Principle 4(1), a data user is required to take all practicable steps to ensure that personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or use, including a hacking incident.

In light of the investigation findings as set out above, the PCPD found that the Company had breached Data Protection Principle 4(1) of the PDPO for failure to take all practicable steps to ensure its customers’ personal data was protected against unauthorised or accidental access, processing or use.

Enforcement action

In light of the Company’s breach, the PCPD issued an Enforcement Notice to the Company, directing it to take remedial steps and preventive measures to enhance its email system so as to prevent recurrence of similar breaches:

1.       Enhance the information security policy and implement a strong password management policy.

 

2.       Develop a mechanism for the regular deletion of expired or obsolete email accounts and regularly monitor and audit (including internal auditing) the usage of email accounts.

 

3.       Devise effective measures to ensure staff compliance with the revised information security policy.

 

4.       Engage an independent data security expert to conduct regular reviews and audits of the security of its information system, including the email system.

 

5.       Develop up-to-date training and education for staff members on information security, with proper records of training processes and measurements of participation and effectiveness.

 

6.       Provide documentary proof within 2 months from the date of the Enforcement Notice, showing the completion of items (1) to (5) above.

PCPD’s recommendations to organisations

The PCPD recommends organisations to better safeguard their customers’ personal data by doing the following:

1.       Establish data privacy management program: Maintain a proper system to manage the personal data from collection to disposal and ensure ability to promptly respond to data breaches.

 

2.       Implement policy on email communications: Devise protocol that sets out the kinds of personal data that employees are allowed to send via email.

 

3.       Adopt security measures: Prevent unauthorized interception of personal data, such as encryption of data.

 

4.       Raise the awareness of employees on data privacy: Employees should be properly and adequately trained in data protection procedures.

Conclusion

The Investigation Report serves as a useful reminder to organizations in Hong Kong about their statutory duty to protect personal data collected. Organizations should remain vigilant of cyberattacks, devise effective cybersecurity measures, and update cybersecurity policies regularly. In particular, organizations are expected to implement an effective password management policy, deactivate unused obsolete email accounts, and provide adequate training to employees on information security regularly.

 

For enquiries, please feel free to contact us at:

E: techcyber@onc.hk                                                         T: (852) 2810 1212
W: www.onc.hk                                                                    F: (852) 2804 6311

19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2022

Our People

Dominic Wai
Dominic Wai
Partner
Dominic Wai
Dominic Wai
Partner
Back to top

ONC uses cookies to give you the best experience. If you continue browsing, we will assume that you accept their use. Cookie Policy