This principle 4(1) requires data users to take all practicable steps to protect security of collected personal data against unauthorised or accidental access, processing, erasure, loss or use.

ImagineX Management Company Limited ("ImagineX")

ImagineX is a brand management and distribution Hong Kong company for international fashion and beauty businesses. ImagineX encourages and manages loyalty membership programmes for its partnered brands.

As a well-established brand management and distribution company for international fashion and beauty businesses, ImagineX holds and processes a significant amount of personal data of customers and employees. The Personal Data Privacy Commissioner ("the Commissioner") considered that stakeholders (in particular customers) have a reasonable expectation for ImagineX to implement a high standard of data security measures for its information systems.

In a highly skilled compromising action ImagineX had created on its firewall and opened a temporary user account for a vendor to enable urgent remote support.

However, the temporary user account was utilised by an outsider third party to gain access to the entire network of ImagineX through lateral movement within the ImagineX network and to exploit a vulnerability in an application server that was running an end-of-support operating system enabling further penetration of the domain controller and other servers containing personal data. The incident resulted in the exfiltration of around 68GB of data from the ImagineX network and in this incident a total of 4 servers and 5 system accounts of ImagineX were compromised.

In this particular incident two loyalty programmes operated by ImagineX totalling 127,268 individuals and 14 current and former employees of ImagineX were affected.

The result was the compromise of personal data including the names, email addresses, telephone numbers, birth months, genders and nationalities of the loyalty membership programmes in addition to the passport copies of the employees of ImagineX.

The outsider third party notified ImagineX that the third party claimed to have stolen all the personal data and threatened to sell all the personal data and as this constituted a clear data breach ImagineX sent a data breach notification to the Commissioner.

Following the incident ImagineX notified all affected data subjects and provided them with support. The support included dark web monitoring and setting up designated emails to handle relevant enquiries. ImagineX further implemented various remedial measures to enhance system security. These measures included deletion of the compromised temporary user account, replacing the end-of-support application server as well as deploying end-point detection and respond solution for real time detection and analysis.

Through 6 rounds of enquiries by the Personal Data Privacy Commissioner and review of information gathered from ImagineX in this way, the Commissioner found the following deficiencies of ImagineX which contributed to the occurrence of the incident:-

1. failure to delete the temporary user account timely after system travel shooting;

2. use of end-of-support operating system;

3. ineffective detective measures for information system; and

4. insufficient security risk reviews and audits for information systems.

The Commissioner's investigation found that the incident in question was caused by human oversight and inadequate security measures to safeguard ImagineX's information systems. Based on the above, the Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure or loss of use all clearly establishing contravention of Data Protection Principle 4(1) of PDPO.

Accordingly, the Commissioner served an Enforcement Notice on ImagineX directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future. In publicizing this case on the Commissioner's website the Commissioner further took the opportunity to remind all organizations holding personal data proactively to adopt appropriate organizational and technical measures to strengthen the security of their information systems and defend against malicious attacks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.