Investigators discovered that the South China Athletic Association (SCAA) had insufficient measures to protect cybersecurity, leading to a significant data breach affecting over 72,000 members in March, the Office of the Privacy Commissioner for Personal Data reported.
The watchdog also noted that data breach incidents involving schools and non-profit organizations have nearly doubled in recent years, urging them to strengthen data security resources to safeguard the extensive personal data of their members and students.
The March data leak exposed personal information of 72,315 SCAA members, including names, Hong Kong identity card numbers, passport numbers, photos, addresses, phone numbers, and email addresses.
ALSO READ: HK urged to enhance cybersecurity through cross-boundary collaboration
During a media briefing on Tuesday, the office emphasized six deficiencies of the association in securing cybersecurity, such as accidentally exposing its servers to the internet, inadequate detection measures for hacker activities, and the absence of multi-factor authentication for administrator accounts.
The lack of security policies and guidelines, routine checks and risk assessments, as well as offline data backups, further exacerbated the situation.
Privacy Commissioner for Personal Data Ada Chung Lai-ling revealed that hackers had installed malware on the sports club’s system as early as January 2022, but the association failed to spot it until the data leakage this year.
Chung stated that the hackers invaded the club’s network in March this year, installing remote control software and eventually encrypting files containing members' personal information through ransomware, affecting eight servers, a data storage device, and 18 computers, with the hackers demanding a ransom from SCAA.
ALSO READ: Cybersecurity reshaped by AI-based solutions
Investigators revealed that on March 15 and 16, hackers conducted over 43,400 login attempts through brute force attacks on SCAA server administrator accounts.
Chung mentioned that the club’s computer system did not have a lockout feature to deter hackers’ attacks following unsuccessful password entries, allowing hackers to attempt 20,000 logins within four hours.
The office emphasized that the incident could have been prevented if the club had deployed sufficient detection measures or alert tools, and it ruled that SCAA has weak awareness in safeguarding members’ personal data, violating the Personal Data (Privacy) Ordinance.
The office has issued an enforcement notice to SCAA, requiring it to annually review the necessity of connecting personal data systems to the internet, regularly inspect and update detection and alert tools, and hire independent information security experts for annual risk assessments and security audits.
READ MORE: Cybersecurity to be further refined
SCAA has two months to submit proof of improvement measures.
In the same briefing, Chung noted a rising trend in data breach incidents reported by schools and non-profit organizations, accounting for approximately 40 percent of the 157 incidents reported last year, nearly double the previous year’s numbers.
Schools and non-profit organizations often hold a large amount of sensitive personal data. They must stay vigilant against cyber-attacks and should allocate sufficient resources to enhance data security measures, the office warned.
