Bankers' institute draws fire for handling of hacking, leak
Hong Kong's privacy watchdog yesterday slammed the Hong Kong Institute of Bankers for failing to protect the personal information of more than 113,000 people in a data leakage after the institute was held to ransom by hackers who got into six servers.
The Office of the Privacy Commissioner for Personal Data has also followed up on 2,128 cases of doxxing up till the end of last year since legislation criminalizing such behavior came into force in October 2021.
Commissioner Ada Chung Lai-ling said there were "serious deficiencies" within the institute in its handling of the matter and that it had violated the Personal Data Ordinance.
The hack occurred on December 30, 2021, when ransomware was used to block off the six servers containing personal data and the institute's computers and backup data.
The leaked data included names, contact information, titles, and names of employers of some 13,000 members and 100,000 non-members of the institute.
Some people even had their identity card and credit card numbers leaked.
An investigation by the watchdog found the institute failed to update its Secure Sockets Layer Virtual Private Network after purchasing the system in 2018, while the institute didn't enable multifactor authentication to enhance the security of the system.
"If it had enabled multifactor authentication, it will not be so easy for the hacker to get access," Chung said.
"We have urged the institute to enhance the security of its data management system to prevent similar incidents from happening again," she added.
The office has served an enforcement notice, directing the institute to remedy and prevent a recurrence.
The watchdog received a total of 3,848 complaints last year, up 15 percent, with more than half involving doxxing allegations.
"It is because we have carried out a series of promotional and publicity and educational activities in relation to the new anti-doxxing regime," Chung said.
She said 95 percent of the complaints were about private organizations or individuals, while the rest were targeted at public organizations or government departments.
Under the new law, the office is empowered to carry out criminal investigations, institute prosecutions and issue cessation notice to stop doxxing.
Chung said the office handled 2,128 doxxing cases last year, and initiated 114 criminal probes, with 32 cases referred to the police for further follow-up actions.
A total of 12 arrests were made as of December 31, with five people having been charged.
Three of them were convicted as of so far this month, with one sentenced to eight months, while the rest are still winding their way through the legal process.
A total of 1,500 cessation notices to 26 online platforms were issued, requesting the removal of 17,703 doxxing messages, with a compliance rate of over 90 percent.