Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/6

 HKIB Contravened DPP4(1)

DPP4(1) stipulates that all practicable steps shall be taken to ensure that any personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use.

Having considered the facts of the Incident and the evidence obtained during the course of investigation, the Commissioner found that there were apparent deficiencies in risk awareness about data security and in the personal data security measures of HKIB, which led to the avoidable intrusion of the Servers and access to personal data stored therein by the hacker through exploitation of the Vulnerability:-

Inadequacies in Management of Data Security Risk: Although HKIB stated that its IT Department lacked experience in maintaining critical network infrastructure and therefore outsourced the relevant work to the Service Provider, the Commissioner considered the fact that HKIB did not stipulate any risk management mechanism for data security and did not request service providers to act in accordance with such a mechanism before the Incident reflected a lack of effective monitoring on the data security measures of its service providers. If HKIB had exercised prudence and due diligence to clearly stipulate the risk management mechanism for data security in the services agreement and request the service providers to conduct regular security checks and vulnerability scans in compliance with such mechanism, it could have identified the serious potential risk posed by the Vulnerability to its system and could have patched the Vulnerability as early as possible to prevent the Incident from happening.

Deficiencies in Information System Management: The Commissioner noted that HKIB had the following deficiencies in the security measures of its information system at the time of the Incident: 