Over 35,000 citizen data at stake as digital marketing agency Fimmick attacked by ransomware

More than 35,000 customers' personal data could be exposed as digital marketing agency Fimmick's computer system was attacked by ransomware in September. 

The Office of the Privacy Commissioner for Personal Data (PCPD) has received a series of received data breach notifications from Fimmick and its cooperate clients since 4 October, reporting that Fimmick’s computer system had been attacked by ransomware in September 2021, which caused the leakage of some of the personal data processed by Fimmick. The PCPD contacted Fimmick on 6 October to follow up the incident and commenced an investigation on 12 October. Eight days later, the PCPD received further information from Fimmick on 20 October.

The PCPD said Fimmick holds and processes the personal data of the customers of many Hong Kong companies, including their names, dates of birth, telephone numbers, email addresses and residential addresses, to name a few. PCPD added that the number of individuals affected in the incident could be up to 35,000. 

As of 21 October, the PCPD confirmed that customers of L’Oreal Hong Kong were affected. Their names, telephone numbers, email addresses, residential addresses, months of birth, Facebook names and Facebook email addresses were exposed. Additionally, the PCPD also received data breach notifications from other Fimmick's corporate clients regarding the incident, reporting that they were still investigating the matter. These companies included Bupa (Asia), Coca-Cola China, Europe Group Holdings, Green Square Marketing, Mead Johnson Nutrition (Hong Kong), Mentholatum (Asia Pacific), McDonald's Hong Kong, Nestle Hong Kong and Reckitt Benckiser Hong Kong. 

Ada Chung Lai-ling, the Privacy Commissioner for Personal Data appealed to citizens who have provided personal data to the above companies, including those who have become their fan club members or made online purchases of the relevant products, to be vigilant about potential theft of personal data. The PCPD also advised citizens who were in doubt about whether their personal data have been leaked to make enquiries with the companies or the PCDC. 

Chung said, "Organisations affected by the incident to report the matter to the PCPD and notify the affected customers as soon as practicable if they consider that there is leakage of the personal data of their customers in the incident. Organisations need take effective security measures to protect the personal data of their customers as required by the Personal Data (Privacy) Ordinance. If an external service provider is engaged as a data processor, the organisation must adopt contractual or other means to safeguard personal data from unauthorised or accidental access, processing, loss or use."

MARKETING-INTERACTIVE has reached out to Fimmick for further information. 

Strengthen your omnichannel marketing capabilities today with MARKETING-INTERACTIVE's Omnichannel Marketing Asia on 23 November. Learn ways to build an evidence-based practice, up the ante on your strategies, and be head and shoulders above your competition. Click here to register today!