Legal Update: PCPD's Investigation Reports On Two Data Breach Incidents

In this update, Pádraig Walsh from our Data Privacy team looks at two investigation reports published by the Hong Kong Privacy Commissioner for Personal Data ("PCPD") into data breach incidents occurring in 2024.

Data breach incident of Kwong's Art Jewellery and My Jewelry

Brief overview: A brute-force attack was conducted on the companies' shared information systems to obtain administrator credentials, allowing unauthorised access to sensitive data held on the systems. The breach affected approximately 79,400 individuals, including corporate customers and employees. The compromised personal data included names, Hong Kong Identity Card numbers, dates of birth, and contact details.

Deficiencies identified: The PCPD identified key deficiencies, including:

(a) failure to timely delete a former employee's account;

(b) lack of effective security and detection measures;

(c) outdated operating systems of servers; and

(d) absence of comprehensive information security policies / guidelines and regular assessments and audits.

The PCPD concluded that the companies had not taken all practicable steps to protect personal data, and the companies violated Data Protection Principle ("DPP") 4(1) of the PDPO.

Data breach incident of Adastria

Brief overview: The attack utilised the administrator credentials of a then current employee. The attack was initiated by access from an overseas IP address. The administrator credentials granted unauthorised access to various customer order information. The breach affected approximately 59,205 customers. The compromised personal data included names, telephone numbers, and order details, which were subsequently disclosed on the dark web two months after the attack.

Deficiencies identified: The PCPD identified key deficiencies, including:

1. weak password management and lack of multi-factor authentication;
2. insufficient awareness of data security protocols; and
3. failure to conduct proper security reviews.

The PCPD expressed concern over Adastria's inadequate measures to safeguard personal data, particularly given its status as a multinational fashion brand group. They concluded that Adastria violated DPP 4(1) of the PDPO by failing to take all reasonable steps to ensure the security of personal data.

The PCPD's recommendations

The PCPD noted that retail businesses handle significant volumes of personal data, and recommended those businesses to:

1. establish and implement clear internal policies and procedures to safeguard the security of the information systems;
2. implement effective measures to prevent, detect and respond to cyberattacks, including conducting regular vulnerability scans and timely patching;
3. cease the use of end-of-support software and promptly upgrade all software;
4. enhance password management of information systems and enable multi-factor authentication;
5. regularly conduct security risk reviews and audits for information systems;
6. (configure appropriate security functions on service platforms provided by third-party vendors and conduct regular security reviews;
7. formulate comprehensive data breach response plans; and
8. adequately train employees to improve their data security awareness.

The PCPD emphasised that organisations must allocate sufficient resources to safeguard personal data against increasing cyber threats.

Conclusion

These incidents underline a critical need for robust data protection and cybersecurity measures in today's increasingly threatening digital landscape.

A privacy-secured business requires much more than a technical response. Prevention starts with commitment from senior management, and a privacy management plan that policies, plans and processes. Human error is almost invariably involved in a security incident or data breach. Training and awareness programmes should be conducted to ensure that employees follow best practices and are vigilant against cyber risk.

Tanner De Witt is well-equipped to assist organisations in navigating these challenges. We regularly help businesses with policies and plans, and conduct practical, customised training to heighten awareness of prevention, mitigation and response measures.

The PCPD's Media Statement is available at this link.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.