The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong published an investigation report today concerning a ransomware attack on the database of Fotomax (F.E.) Limited. From the news release:
The investigation arose from a data breach notification lodged by Fotomax with the PCPD on 1 November 2021, which reported that the database of its online store (the Database) had been attacked by ransomware and maliciously encrypted on 26 October 2021. A total of 544,862 members and 73,957 customers who had ordered products and/or accepted services from its online store between 16 November 2020 and 26 October 2021 were affected in the incident.
From the evidence collected in the investigation, the Privacy Commissioner finds that Fotomax had the following serious deficiencies which contributed to the avoidable exploitation of a vulnerability and access to personal data in the Database by the hacker:
- Misevaluation of security vulnerability risk;
- Deficiencies in information system management; and
- Procrastinated implementation of multi-factor authentication.
In the present case, the Privacy Commissioner finds that Fotomax had serious deficiencies in risk awareness and personal data security measures which led to the ransomware attack on the Database. The Privacy Commissioner considers that Fotomax had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has issued an Enforcement Notice to Fotomax, directing Fotomax to remedy and prevent recurrence of the contravention.
You can download “Investigation Report: Ransomware Attack on the Database of Fotomax (F.E.) Limited:” at https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_18947_e.pdf