Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/4

  identity card numbers, credit card numbers (excluding card verification code), dates of birth, professional certification details and examination results were also affected.

The Consultant's Investigation Findings

After the Incident, HKIB immediately commissioned the Consultant to inspect the security of its information systems. According to the investigation report, the Consultant considered that: (i) HKIB did not put in place patch management procedures, which resulted in the failure to patch the affected system, thus allowing the hacker to exploit the Vulnerability, get hold of its SSL VPN account names and passwords, intrude into the system to obtain system administrative privileges, deploy ransomware and eventually succeed in encrypting the Servers; and (ii) HKIB did not enable multi-factor authentication for SSL VPN.

Responses from HKIB to the Incident

HKIB stated to the PCPD that the Firewall was maintained by the Service Provider and both HKIB and the Service Provider were not aware of the Vulnerability until the Incident occurred. In addition, since the installation of the Firewall in 2018, HKIB had not been informed by the Service Provider of the need to install patches for the Firewall. HKIB also stated that the purchase of the Firewall included technical support services provided by the Firewall manufacturer but no information about the Vulnerability had been received from the Firewall manufacturer prior to the Incident

HKIB explained that although there were four employees in its IT Department (including one department head, two senior managers and one senior officer) before the Incident, due to heavy workload in daily operation and user support, and that lack of experience of the IT Department in maintaining critical network infrastructure, the relevant maintenance work was therefore outsourced to the Service Provider. 