Hacker-hit Hong Kong consumer watchdog ordered to fix data security problems within 2 months

Privacy commissioner Ada Chung says leak of 477 people’s personal information mainly due to Consumer Council’s failure to set up multi-step authentication for remote work
Email alert system also failed to notify watchdog of attack last September, with council only learning about incident once US$500,000 ransom request was sent

Crime in Hong Kong

Edith Lin

Published: 3:58pm, 2 May 2024

Why you can trust SCMP

Hong Kong’s consumer watchdog breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack, an investigation has found, with authorities giving it two months to fix its data protection problems.

Privacy Commissioner for Personal Data Ada Chung Lai-ling disclosed the findings from an investigative report on Thursday, months after hackers managed to obtain access to an administrator account belonging to the Consumer Council’s IT staff on September 4 last year.

The group used the account to carry out various malicious activities weeks later and tried to force the watchdog to pay a ransom of US$500,000. The hacker maliciously encrypted 93 systems and accessed 11 servers and workstations.

Chung mainly attributed the cyberattack to a failure to introduce a multi-step authentication system for the remote access of data. She urged other organisations to adopt the same measure, noting such systems were usually affordable.

“The council has not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss, or damage,” she said.

“[Multi-factor authentication] will provide additional protection to the entire information system other than just by relying on the password.

“According to some information technology literature, the protection given by this multi-factor authentication will be enhanced to more than 99 per cent if this feature is enabled.”

Chung said the council intended to introduce multi-factor authentication when it adopted a work-from-home policy in 2020 during the Covid-19 pandemic.

But staff had opposed the plan since it required installing additional software on their devices, she added.

Privacy Commissioner for Personal Data Ada Chung has served the council with an enforcement notice that requires it to implement multi-factor authentication for remote users. Photo: Yik Yeung-man

The privacy commissioner also said the watchdog’s cybersecurity system was not configured properly and failed to send out email alerts in response to the cyberattack, with the council only learning of the incident once the ransom request came through.

“If the council reviewed or rectified the settings before the incident, it might have increased the chances of identifying early manoeuvres by hackers, avoiding the ransom attack and unauthorised access of the data,” she said.

Chung said it was currently unknown why the account credentials were leaked to hackers, adding that the IT staff involved had resigned and the council could not find any reason behind the problematic configuration.

The commissioner’s office said the council had also failed to prohibit the storage of personal data on testing servers due to “human error or oversight”.

Head of Hong Kong consumer watchdog apologises over potential personal data leak

The cyberattack resulted in the names, phone numbers, addresses and income data of 289 complainants being leaked, alongside the personal information of 138 current and 24 former employees of the consumer watchdog.

The tally also included the data of 26 people working for the council’s IT vendors.

The commissioner served the council with an enforcement notice that required it to implement multi-factor authentication for remote users, regularly review its cybersecurity measures, conduct risk assessments and security audits, as well as offer staff training.

The consumer watchdog has two months to submit proof of its compliance with the notice, with the relevant parties facing a fine of up to HK$50,000 (US$6,390) and two months in prison if they fail to comply.

The commissioner’s office has received 20 inquiries and eight complaints about the incident.

In response to the investigation, the Consumer Council said no information from the leak was found to have been published on the dark web – where criminals buy and sell data – according to a service provider entrusted by the watchdog.

The council also said it had taken measures to strengthen security, such as enabling multi-factor authentication, reviewing functions of its cybersecurity system and improving its IT policies.

It added that it had also engaged forensic experts to investigate the event, who ascertained that the account used by hackers always had “complex passwords without any sign of brute-forcing” and its credentials were not found on the dark web.

It is not the first time the government or related bodies have breached privacy rules. Cyberport, managed by a company wholly owned by the government, had data of 13,000 employees and jobseekers stolen last August after a hacker attack.

Lawmaker Duncan Chiu, who represents the innovation and technology sector, said these incidents rang an alarm bell and the government should offer help to the public bodies as they might not have sufficient resources to hire in-house IT staff.

“The government can consider developing tools and systems for these statutory bodies. It can standardise cybersecurity quality better than each body working on each own,” he said.

Chiu also said the administration could consider expanding its subsidy scheme for small to medium-sized enterprises to cover development of cybersecurity solutions.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said hackers might have attacked the system and accessed the information through loopholes in the network and security software. He urged the council and other companies to keep their cyber systems updated and safe.