PCPD issues enforcement notice to Institute of Bankers upon data leak

Hong Kong's privacy watchdog has issued an enforcement notice to The Hong Kong Institute of Bankers (HKIB) after a data leak that impacted over 13,000 members and about 100,000 non-members. 

According to the press release, The Office of the Privacy Commissioner for Personal Data said it has completed an investigation regarding the incident. This comes after a data breach notification lodged by HKIB reporting that six servers which contained personal data had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the servers to the internet and demanded a ransom from HKIB to unlock the encrypted files. The personal data of over 13,000 members and about 100,000 non-members had been leaked in the incident.

Don't miss: PCPD looks into data breach involving HK Golden Forum members

According to the investigation report, the privacy commissioner Ada Chung found that there were deficiencies in HKIB’s awareness of data security risks and in its personal data security measures, including inadequacies in the management of data security risk; deficiencies in information system management and prolonged implementation of multi-factor authentication.

Chung also said that there were apparent deficiencies in the data security risk management and the personal data security measures of HKIB, which led to the ransomware attack on its servers which contained personal data. It considered that HKIB lacked effective data security risk management mechanism and adopted a lax approach towards service providers in the maintenance of critical network infrastructure. As a result, the security measures of the information system which contained personal data were ineffective in addressing cybersecurity risks and threats.

Chung concluded that HKIB had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle concerning the security of personal data under the PDPO. The privacy commissioner has served an enforcement notice on HKIB, directing it to remedy and prevent recurrence of the contravention.

Chung recommended organisations to stay vigilant to prevent hacker attacks by conducting regular risk assessments, establish a Personal Data Privacy Management Programme to use and retain personal data in compliance with the PDPO, appoint a dedicated officer as data protection officer and enhance information system management.

Related articles:

Malaysian comms and digital minister looks in closely on data leak incident
WhatsApp defends itself against 'data leak' allegations made by media report