Hong Kong’s high-tech hub failed to detect and fend off “brute force attacks” by hackers that led to a data theft affecting thousands, the privacy watchdog said on Tuesday.
The Office of the Privacy Commissioner for Personal Data (PCPD) also revealed that part of the stolen data from Cyberport, which surfaced on the internet, involved the information of unsuccessful job applicants and former staff, which was kept by the firm longer than necessary.
Some 400 gigabytes of personal data had been exposed on the dark web and US$300,000 was demanded by a ransomeware group identified as Trigona, following a hacking attack on the hub’s file storage server in August last year.
Privacy commissioner Ada Chung said Cyberport lacked security audits of its information systems and effective detection measures against “brute force attacks”. Such attacks were made when hackers broke into an information system using a series of software-generated passwords.
“We should expect a higher standard of cybersecurity and data security being implemented by the company,” she said.
“Being a company with a well-established database, holding a substantial amount of personal data, stakeholders and also members of the public would expect Cyberport to allocate sufficient resources to ensure its data security and cybersecurity.”
The personal data of over 13,000 individuals was leaked, with about 40 percent being job seekers who were not hired and ex-employees. In one occasion, Cyberport kept the information of an employee hopeful from 2016 until the time of the incident.
Chung noted that fewer people would have been affected had Cyberport removed such data in a timely manner. The tech hub’s policy states that the information of job seekers would only be on file for a year, while data pertaining to employees should be removed when they leave the company.
“We did ask for the reasons, but they were unable to provide any explanation to us on why they failed to delete the data in question,” she said.
Chung said her office had issued an enforcement notice to Cyberport, directing it to remedy the situation and prevent a similar recurrence.
The PCPD has received 65 enquiries and 33 complaints regarding the incident.
In response, Cyberport said a task force set up noted “room for improvement in internal information security and data management”, while reinforcing various measures to enhance the calibre and awareness of information system security and data security.
The tech hub said it had also contacted and offered support to those affected by the data theft.
