Hong Kong Cyberport data breach last year affected 13,632 staff and jobseekers, privacy watchdog says, slamming cybersecurity oversights – Technologist

The privacy watchdog’s investigation looked into the breach of Cyberport’s data, which occurred in August last year.

The investigation found the personal data of 13,632 people was leaked including 8,000 staff and 5,292 unsuccessful applicants and former employees. Others included the managerial staff of the organisation, interns and business partners.

The personal data stolen involved names, ID card and passport numbers, while some victims had their financial information such as bank account numbers, medical reports, photos, birth dates, social media accounts and academic information leaked.

Thirteen Windows systems and two virtual servers were compromised.

Commissioner Chung said Cyberport contravened two principles under personal data protection laws by not keeping personal data secure and retaining such information over the intended retention period, which warranted an enforcement notice.

“The earliest case we know of dates back to 2016, when the person concerned had sought employment with the company, but their data was kept ever since, until the incident happened,” Chung said.

The commissioner added that Cyberport’s data retention policy stipulated that jobseekers’ personal information would be kept for one year after their application, while that of staff would only be retained during their employment period.

But the technology hub has been unable to explain why it has kept thousands of former candidate and staff files beyond their intended storage periods.

“[Cyberport] had only discovered the unnecessary retention of data upon the discovery of the data breach incident, so they were unable to provide an explanation for failing to delete the data in question,” Chung said.

“However, the crucial point of our investigation is not why they had failed to do so, but that they had failed to do so. The net result is what we are looking for, and [that] demonstrates a contravention of the Privacy Data Ordinance,” Chung added.

Cyberport lost over 400GB of data, including bank account information and ID card soft copies, in the cyberattack but did not reveal the number of victims last year.

Hong Kong’s Cyberport apologises over data theft, vows to improve security

The firm only disclosed the incident in September, when cybersecurity information platform FalconFeedsio said on its social media page that ransomware group Trigona had added Cyberport to its list of victims.

Chung revealed that Trigona had first gained access to an administrator account of Cyberport’s network on August 6 through brute force attacks, where hackers would try to guess an account’s password. Hackers then proceeded to disable Cyberport’s antivirus programme before launching further attacks.

Eight days later on August 14, Cyberport noticed its files being attacked by ransomware and being maliciously encrypted. The organisation tried to fix the situation by changing passwords for all accounts.

But on August 17, the company received Trigona’s demand for ransom payment before being attacked by ransomware and encryption again on the next day.