The privacy watchdog’s investigation looked into the Cyberport data breach, which occurred in August last year.

The investigation found the breach involved the personal data of 13,632 people, 8,000 of whom had employment ties with the company, including 5,292 unsuccessful applicants and former employees. Others were managerial staff, interns and business partners.

The personal data stolen included names, as well as ID card and passport numbers, while some victims had their financial information such as bank account numbers, medical reports, photos, birth dates, social media accounts and academic information leaked.

Thirteen Windows systems and two virtual servers were compromised.

Chung said Cyberport contravened two principles of personal data protection laws by not keeping information secure and keeping it over the intended retention period, which warranted an enforcement notice.

“The earliest case we know of dates back to 2016, when the person concerned had sought employment with the company, but their data was kept ever since, until the incident happened,” Chung said.

The commissioner added that Cyberport’s data retention policy stipulated that jobseekers’ personal information would be kept for one year after their application, while that of staff would only be retained during their employment period.

But the tech hub has been unable to explain why it kept thousands of former candidate and staff files beyond their intended storage periods.

“[Cyberport] had only discovered the unnecessary retention of data upon the discovery of the data breach incident, so they were unable to provide an explanation for failing to delete the data in question,” Chung said.

“However, the crucial point of our investigation is not why they had failed to do so, but that they had failed to do so. The net result is what we are looking for, and [that] demonstrates a contravention of the Privacy Data Ordinance.”

Cyberport lost more than 400GB of data, including bank account information and ID card soft copies, in the cyberattack but did not reveal the number of victims last year.

Hong Kong’s Cyberport apologises over data theft, vows to improve security

The firm only disclosed the incident in September, when cybersecurity information platform FalconFeedsio said on its social media page that ransomware group Trigona had added Cyberport to its list of victims.

Chung revealed that Trigona had first gained access to an administrator account of Cyberport’s network on August 6 through brute force attacks, where hackers would try to guess an account’s password. Hackers then proceeded to disable Cyberport’s antivirus software before launching further attacks.

Eight days later on August 14, Cyberport noticed its files being attacked and maliciously encrypted. It tried to fix the situation by changing passwords for all accounts.

But on August 17, the company received Trigona’s demand for ransom payment before being attacked the next day.

The watchdog’s investigation also uncovered multiple loopholes and blunders in the firm’s cybersecurity measures, from inadequate protection to vague policy terms.

Among the 13 compromised Windows systems, one of them was found to have been put to use without a prior cybersecurity risk assessment or security audit.

Cyberport was also discovered to have relied on one antivirus program to protect its vast network, which Chung called “insufficient and disproportionate”.

Multi-factor authentication, which requires users to provide two or more different pieces of information to gain access to a computer system, was also not in use.

Hong Kong school told to review data policy after alleged student privacy breach

Chung said that inadequacy allowed Trigona hackers to gain complete control over an administrator account once they had guessed the correct password during their brute force attacks in August.

Investigations also showed that Cyberport’s most recent security audit took place at the end of 2021, more than a year before the breach, leading the privacy watchdog to criticise the firm’s practice of conducting security assessments every two years.

Chung also said Cyberport’s network security policy was too general, lacking operational guidelines for employees to follow.

“In their policy, they said they would conduct ‘regular antivirus checks’, but they only said ‘regular’ without detailing how frequent these checks would be,” the commissioner noted.

Under the watchdog’s enforcement notice, Cyberport will need to perform a series of security checks and reinforcements, implement multi-factor verification procedures, hire an independent security expert for annual audits and lay out clear guidelines for the prevention, detection and response to cybersecurity threats by May 20.

Cyberport promised on Tuesday to upgrade its defence capabilities against online attacks. It said a task force set up following the incident last year had found “room for improvement” in the hub’s information security and data management. It had reinforced “multiple measures to enhance the calibre and awareness of information system security and data security at all operational levels”.

“Cyberport has also reviewed and strengthened measures for personal information management to ensure compliance with personal information protection principles outlined in the [privacy law],” it said.

Hong Kong privacy watchdog probes data breach at prominent sports club

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said he was surprised by Cyberport’s weak defences against a brute force attack.

Fong two-factor authentication would have required users to follow up a login attempt with a physical key or biometric scan. He said Cyberport could have limited the number of login attempts or locked down an account after too many attempts at entry were recorded.

He also proposed the hub conduct a security audit every three to six months.

Lawmaker Duncan Chiu, who represents the technology and innovation sector in the legislature, said the theft of data had underscored the need for more resources to be devoted to cybersecurity at organisations.

IT veteran Joseph Leung Wai-fung said the incident could damage the image of Cyberport both locally and internationally as it was at the forefront of the information technology industry in Hong Kong.

“The incident does not tell a good story to companies looking for digital transformation,” he said.