Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Hong Kong: PCPD issues enforcement notice on Cyberport following data breach
On April 2, 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it had issued an enforcement notice to Hong Kong Cyberport Management Company Limited for violations of the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 (PDPO) following a breach notification.
Background to the decision
The PCPD stated that Cyberport submitted a breach notification to the PCPD on August 18, 2023, stating, among other things, that its computer systems and file servers had been attacked by ransomware and maliciously encrypted and a ransom payment had been demanded from Cyberport to unlock the encrypted files. The incident resulted in the leakage of the personal data of more than 13,000 data subjects.
Findings
The PCPD stated that Cyberport had not taken all practicable steps to ensure that the personal data involved was protected against unauthorized or accidental access, processing, erasure, loss, or use, in violation of Data Protection Principle (DPP) 4(1) of the PDPO. Additionally, the PDPC found that Cyberport had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfillment of the purpose for which the data was used, in violation of DPP 2(2).
Moreover, the PCPD highlighted that the breach was caused due to the following deficiencies:
- lack of effective detection measures in Cyberport's information systems;
- failure to enable multi-factor authentication for remote access to data;
- insufficient security audits of the information systems;
- lack of specificity in the information security policy; and
- unnecessary retention of personal data.
Outcomes
In light of the above, the PDPC issued an enforcement notice that includes steps Cyberport must take to remedy the contravention to prevent a similar recurrence.
The PDPC also issued the following recommendations to organizations that use information and communication technologies for processing personal data:
- establish a personal data privacy management program and appoint data protection officers (DPOs);
- establish a robust cybersecurity framework;
- conduct timely risk assessments and security audits of information systems;
- establish a corporate culture that values information security; and
- delete personal data timely.