Lessons learned from the PCPD privacy investigation report on an email system hack incident
Introduction
On 17 February 2022, the Privacy
Commissioner for Personal Data (“PCPD”)
issued an investigation report (“Investigation
Report”) regarding a cyber-incident, specifically, a malicious intrusion into
the email system of Nikkei China (Hong Kong) Ltd (“Company”) by hackers. In the Investigation Report, the PCPD sets
out its investigation findings regarding this cybersecurity incident, its recommendations
to organisations about cybersecurity and protection of personal data, and
details of issuance of enforcement notice on the Company regarding its
violation of Data Protection Principle 4(1) of the Personal Data (Privacy
Ordinance) (Cap. 486) (“PDPO”).
The
investigation
On 17 March 2021,
the Company reported to the PCPD that 6 of its staff email accounts had been
hacked and emails were forwarded to various unknown email addresses. As a
result, personal data of more than 1,600 customers, including customers’ names,
email addresses, company names, job titles, telephone numbers and credit card
data were leaked (“Incident”).
Upon receipt of
the data breach notification from the Company, the PCPD conducted an
investigation and compliance check against the Company and found that the Company’s
email system security was susceptible to unauthorised intrusion. In particular,
the PCPD pinpointed the following weaknesses in the Company’s email system:
1. Inadequate password management: The 6 email accounts that were
hacked had the same password, which was the default password set by the email
service provider at the time of creation of the email accounts. Moreover, the default
password consisted of short numerals which was an inherently weak password.
2. Failure to manage obsolete email accounts: One of the hacked email
accounts belonged to a retired staff member of the Company which was no longer
in use. The Company had failed to review and manage inactive or dormant email
accounts.
3. Lack of security controls for remote access to the email system: The
Company did not make use of the security monitoring and alerting function,
which would warn system administrators of suspicious logins.
4. Inadequate security controls on the information system: The Company
did not put in place policies, procedures and controls to manage sensitive
personal data.
All in all, the
PCPD found that the Company had failed to take all practicable steps to ensure
its customers’ personal data was protected against unauthorised or accidental
access, processing or use.
Breach
of the Data Protection Principles
Since the Company
controlled the collection, holding, processing and use of the personal data of
its customers which were leaked in the Incident, the Company falls within the
definition of data user under the PDPO.
It follows that the
Company is under an obligation to comply with the requirements of the PDPO,
including the 6 Data Protection Principles. In
particular, under Data Protection Principle 4(1), a data user is required to
take all practicable steps to ensure that personal data held by it is protected
against unauthorised or accidental access, processing, erasure, loss or use,
including a hacking incident.
In light of the investigation
findings as set out above, the PCPD found that the Company had breached Data
Protection Principle 4(1) of the PDPO for failure to take all practicable steps
to ensure its customers’ personal data was protected against unauthorised or
accidental access, processing or use.
Enforcement
action
In light of the
Company’s breach, the PCPD issued an Enforcement Notice to the Company,
directing it to take remedial steps and preventive measures to enhance its
email system so as to prevent recurrence of similar breaches:
1.
Enhance the information security policy and implement
a strong password management policy.
2.
Develop a mechanism for the regular deletion of expired
or obsolete email accounts and regularly monitor and audit (including internal auditing)
the usage of email accounts.
3.
Devise effective measures to ensure staff
compliance with the revised information security policy.
4.
Engage an independent data security expert to
conduct regular reviews and audits of the security of its information system,
including the email system.
5.
Develop up-to-date training and education for staff
members on information security, with proper records of training processes and
measurements of participation and effectiveness.
6.
Provide documentary proof within 2 months from the
date of the Enforcement Notice, showing the completion of items (1) to (5)
above.
PCPD’s
recommendations to organisations
The PCPD recommends organisations to better safeguard their
customers’ personal data by doing the following:
1. Establish data privacy management program: Maintain a proper system
to manage the personal data from collection to disposal and ensure ability to
promptly respond to data breaches.
2. Implement policy on email communications: Devise protocol that sets
out the kinds of personal data that employees are allowed to send via email.
3. Adopt security measures: Prevent unauthorized interception of
personal data, such as encryption of data.
4.
Raise the awareness of
employees on data privacy: Employees should be properly and adequately trained
in data protection procedures.
Conclusion
The Investigation Report serves as a useful reminder to organizations in Hong Kong about their statutory duty to
protect personal data collected. Organizations should remain vigilant of
cyberattacks, devise effective cybersecurity measures, and update cybersecurity
policies regularly. In particular, organizations are expected to implement an
effective password management policy, deactivate unused obsolete email
accounts, and provide adequate training to employees on information security
regularly.
For enquiries,
please feel free to contact us at: |
E: techcyber@onc.hk T: (852)
2810 1212 19th Floor, Three Exchange Square, 8
Connaught Place, Central, Hong Kong |
Important: The law and procedure on
this subject are very specialised and
complicated. This article is just a very general outline for reference and
cannot be relied upon as legal advice in any individual case. If any advice
or assistance is needed, please contact our solicitors. |
Published by ONC Lawyers © 2022 |