Hacker-hit Hong Kong consumer watchdog ordered to fix data security problems within 2 months

Privacy commissioner Ada Chung says leak of 477 people’s personal information mainly due to Consumer Council’s failure to set up multi-step authentication for remote work

Email alert system also failed to notify watchdog of attack last September, with council only learning about incident once US$500,000 ransom request was sent

Reading Time:3 minutes

The incident last September resulted in the names, phone numbers, addresses and income data of 289 complainants being leaked, among others. Photo: Shutterstock

Published: 3:58pm, 2 May 2024Updated: 9:29pm, 2 May 2024

Hong Kong’s consumer watchdog breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack, an investigation has found, with authorities giving it two months to fix its data protection problems.

Privacy Commissioner for Personal Data Ada Chung Lai-ling disclosed the findings from an investigative report on Thursday, months after hackers managed to obtain access to an administrator account belonging to the Consumer Council’s IT staff on September 4 last year.

The group used the account to carry out various malicious activities weeks later and tried to force the watchdog to pay a ransom of US$500,000. The hacker maliciously encrypted 93 systems and accessed 11 servers and workstations.

Chung mainly attributed the cyberattack to a failure to introduce a multi-step authentication system for the remote access of data. She urged other organisations to adopt the same measure, noting such systems were usually affordable.

“The council has not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss, or damage,” she said.

“[Multi-factor authentication] will provide additional protection to the entire information system other than just by relying on the password.