Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/9

  practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP4(1) concerning the security of personal data. 

While the Incident reveals room for improvement on HKIB's part, the Commissioner is pleased to note that HKIB made a timely data breach notification, cooperated with the PCPD's investigation, and is committed to learning from the Incident. After the Incident, HKIB has implemented various organisational and technical measures and fixed the Vulnerability to enhance the overall system security for the protection of personal data privacy.

Enforcement Action

The Commissioner exercised her power pursuant to section 50(1) of the Ordinance to serve an enforcement notice on HKIB (the Enforcement Notice), directing it to take the following steps to remedy and prevent recurrence of the contravention:-

Thoroughly review the security of HKIB's systems containing personal data to ensure that they are free from known malware and security vulnerabilities;

Engage an independent data security expert to conduct reviews and audits of HKIB's system security (including the servers containing personal data) on a regular basis;

 Revise the system security policy to explicitly require HKIB to conduct regular vulnerability scans on its network infrastructure (including firewalls and servers);

Revise the system security policy to specify the policies and requirements for patch management and take measures to ensure that relevant staff members and service providers providing system </li></ol></li></ol>