Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/1



Background

On 11 January 2022, The Hong Kong Institute of Bankers (HKIB) notified the Office of the Privacy Commissioner for Personal Data (the PCPD) of a data breach incident, stating that six servers of HKIB containing personal data (the Servers) had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the Servers to the internet and demanded HKIB to pay a ransom to unlock the encrypted files (the Incident).

On receipt of the aforesaid data breach notification, the PCPD immediately commenced a compliance check against HKIB to ascertain the relevant facts relating to the Incident. Upon receiving further information from HKIB, the Privacy Commissioner for Personal Data (the Commissioner) believed that HKIB's acts or practices in the Incident might have contravened the requirements of the Personal Data (Privacy) Ordinance, Chapter 486, Laws of Hong Kong (the Ordinance). In May 2022, the Commissioner commenced an investigation in relation to the Incident against HKIB pursuant to section 38(b) of the Ordinance.