Massive data breach at Cyberport wake-up call for Hong Kong
Cyberport has been ordered to clean up its online security act after shocking new details were uncovered about last year’s data breach at the government-funded technology hub. The revelations should prod a wider reckoning and stepped up efforts to fight cybercrime. An investigation by the Office of the Privacy Commissioner for Personal Data determined that hackers stole data of more than 13,000 staff and jobseekers. Cyberport has been ordered to make improvements and submit a report within two months.
Commissioner Ada Chung Lai-ling said investigators found Cyberport “failed to implement sufficient and effective measures” to ensure information systems security. She said 13 Windows operating systems and two virtual servers were found to be compromised during the August breach.
Leaked data included names, ID card and passport numbers, bank details, medical reports, photos, birth dates, social media accounts and academic information. Employment data stolen related to nearly 5,300 people who no longer work for Cyberport as well as many unsuccessful applicants with some files dating back to 2016. An enforcement notice said Cyberport failed to comply with two personal data protection law principles because it did not keep information secure and retained data beyond its own policy limits.
Cyberport admitted losing more than 400GB of data in September after an independent cybersecurity information platform flagged it as a victim of ransomware group Trigona. Hackers first gained access on August 6 using “brute force” password guessing.
The privacy commission report said Cyberport’s security audits were too infrequent, and the hi-tech hub had no operational guidelines for employees. Only one antivirus program was used to shield Cyberport’s vast network, and there was no multi-factor authentication, which requires users to enter two or more different pieces of information to access systems. The watchdog has ordered such procedures to be implemented along with a series of security checks and the hiring of an independent expert for annual audits.
Cyberport has promised to upgrade its defences and to bring its personal information management protocols in compliance with laws. However, a more difficult job lies ahead when it comes to fixing the image of an organisation that should be at the forefront of the information technology industry in Hong Kong.
Experts and lawmakers representing the sector are right to voice concerns and call for more resources to improve cybersecurity. Cyberport’s woes should serve as a cautionary tale about everyone doing a better job keeping hackers from tearing up the pages of Hong Kong’s digital transformation story.