Office of the Privacy Commissioner for Personal Data: Investigation Report on the Ransomware Attack on the Servers of the Hong Kong Institute of Bankers

View PDF

Authored by: Simon Deane and Ally Leow

The Office of the Privacy Commissioner for Personal Data (“PCPD”) released an investigation report (“Report”) into a data breach incident relating to the Hong Kong Institute of Bankers (“HKIB”) on 9 February 2023.

On 11 January 2022, HKIB notified the PCPD that 6 of HKIB’s servers containing personal data (“Servers”) had been attacked by ransomware and maliciously encrypted by a hacker (“Incident”). HKIB stated that the firewall (“Firewall”) it used was purchased from and maintained by a service provider (“Provider”). It maintained that both HKIB and the Provider were not aware of the vulnerability in the Firewall which allowed the hacker to perform the attack.

PCPD found that HKIB, as a data user under the Personal Data (Privacy) Ordinance (Cap.486; “PDPO”), contravened Data Protection Principle 4(1) in failing to take all practicable steps to ensure that the personal data involved were protected from unauthorised or accidental access, processing, erasure, loss or use. The PCPD also found that the Incident was caused by HKIB’s failure to patch the affected system, and there were inadequacies in HKIB’s management of data security risk and security measures in respect of its information system. The PCPD further considered that HKIB adopted a lax approach towards service providers in the maintenance of critical network infrastructure, resulting in ineffective security measures against cybersecurity risks and threats. An enforcement notice was served on HKIB directing it to remedy and prevent recurrence of the Incident or similar breaches.

To view the PCPD’s Media Statement, please see here. To access a full copy of the Report, please see here.

Key Contacts

Simon Deane

Consultant | Banking and Finance

Email or call +852 2825 9209