Sammy Heung reports:
Hong Kong’s privacy watchdog has found a prominent sports club had been in breach of privacy regulations in the run-up to a large-scale leak involving about 72,000 members’ personal information.
The Office of the Privacy Commissioner for Personal Data said on Tuesday that the South China Athletic Association (SCAA) had failed to take all practicable steps to protect its members’ personal data before the breach occurred in March.
What follows is some detailed reporting by SCMP about the SCAA’s security mistakes or failures, including how the attacker gained access and what steps the attacker subsequently took. They report, in part:
The watchdog’s investigation into the incident found that a hacker in January 2022 had installed malware on one of the association’s servers that was connected to the internet.
The hacker then compromised the club’s network using the malware and installed remote control software in March 2024. “Brute force attacks” were then launched on the computer systems via remote access.
Other malicious activities conducted included “network reconnaissance, defence evasion, disabling anti-virus and anti-malware software, the installation of credential harvesting tools and lateral movement”.
That’s a lot of suspicious activity over a multi-year period that appears to have been missed.
Read more at the South China Morning Post.