Data breach: Lessons from a recent investigation report in Hong Kong
21Apr2022Investigation reports from the Privacy Commissioner are spilled milk stories that serve as salutary reminders to the mortals among us that there but for the grace of God, go we. This came to the fore again in the investigation report published by the Office of the Privacy Commissioner in Hong Kong on 17 February 2022 in respect of a hacker’s intrusion to the email system of Nikkei China (Hong Kong) Limited[1]. Padraig Walsh from our Data Privacy Practice Group shares some points for us all to remember.
Key facts
A hacker obtained the password of an email account that was created by Nikkei China to communicate with customers. The hacker then set up a forwarding function for this email account and five other email accounts that shared the same password, automatically forwarding all of the incoming emails to two unknown email addresses apparently belonging to the hacker. Between October 2020 and February 2021, the hacker managed to forward emails sent to Nikkei China by 1,644 customers – 650 in Hong Kong, 994 overseas. The personal data leaked through the emails included customers’ names, email addresses, company names, job titles, telephone numbers and credit card data.
Nikkei China had Information Management Regulations which set out a framework for overall security management for company-owned information. All staff were verbally instructed to thoroughly study the content of this policy, which was held in a shared folder accessible to all staff members. There was also a set of security management measures that applied to all group companies, which included a password policy.
The alarm was raised on 1 March 2021, when a staff member of Nikkei China received a delivery failure error in respect of an email to an unknown and suspicious email address. Internal investigation identified that an unauthorised external account had control of six email accounts of Nikkei China, and the controller had surreptitiously forwarded about 16,860 emails over a five month period.
Nikkei China notified the data breach to the Privacy Commissioner on 17 March 2021, and made a public announcement on the same day.
Common features and failings
The investigation report highlights some common features and failings of data breach incidents.
The intrusion lasted for at least four months before it was discovered. This may appear a long time, but this is a feature of many hacking incidents. Once there is an intruder within the walls of an IT system, it can be possible to remain undetected for some time. It takes an eventual odd occurrence to trigger action. In Nikkei China’s case, it was a delivery failure message on an email and an alert employee who escalated the report for further investigation.
There were 41 email accounts established at the time of the incident, 24 of which belonged to former staff members and were no longer in use. There was no system in place to retire and close redundant email accounts of persons who no longer worked with Nikkei China.
This is a surprisingly common issue. Email account activity of departed employees is less likely to be detected. These accounts are often used by hackers for attempted phishing activities, or to receive undetected emails from suppliers or customers unwittingly seeking to communicate with a departed employee.
The hacked email accounts all used the same password. This was the default password set by the email service provider when the accounts were created. The password formulation consisted of a short series of numerals – neither long nor complex. Nikkei China neither required its staff to change the default password, nor required them to change the passwords of their email accounts periodically. Weak passwords are more likely to be susceptible to brute force or phishing attacks, and represent a material vulnerability in IT security.
The web-based email service used by Nikkei China did not support multi-factor authentication. This is now standard practice to ensure that persons using such a service are identified by different means. Nonetheless, many old or legacy services do not implement multi-factor authentication. This type of issue would be picked up on third party inspections or reviews of IT systems, but Nikkei China did not conduct routine inspections of the configuration of the email system.
Positive action
All businesses now consider security incidents and data breaches as a key risk factor they must address. A data breach could be considered a matter of when, not if. One interesting barometer of corporate culture is to assess the business response of the data user when a data breach occurs. Nikkei China responded well.
Nikkei China changed the passwords on the affected accounts and disabled the forwarding function on 1 March 2021 – the same day the incident was discovered. The next day all email account passwords were changed.
The data breach was notified to the Privacy Commissioner on 17 March 2021. This is reasonably prompt, given that Hong Kong is a jurisdiction in which there is no mandatory data breach notification obligation. Nikkei Inc. (parent company of Nikkei China) announced the data breach on its website on the same day, and Nikkei China also sent emails to affected customers and informed relevant credit card issuers.
Nikkei China migrated the email system to a cloud-based service email provider, which offered strong password security and multi-factor authentication. Other technical improvements were made to information security systems.
Nikkei China updated its Information Management Regulations, and required signed acknowledgement from its employees of having read and understood its provisions. Critically, Nikkei China also engaged external professionals to conduct training sessions on information security, and committed to undertake training on an annual basis.
Commissioner Findings
The Privacy Commissioner unsurprisingly found that Nikkei China had failed to take all practicable security measures to protect the personal data held by it. This is a requirement of the data protection principles in the Personal Data (Privacy) Ordinance[2]. This was based on findings of the following deficiencies:
- weak password management
- retention of obsolete email accounts;
- lack of security controls for remote access to email systems; and
- inadequate security controls on its information systems.
The Privacy Commissioner issued an enforcement notice for certain prescribed steps to be taken – which, based on the investigation report, Nikkei China was attending to already.
The terms of an enforcement notice inevitably focus on concrete remedial steps to be taken to correct a data breach. Recommendations, however, are a good indication of the policy steps the Privacy Commissioner hopes businesses will adopt. These are some of the recommendations proposed by the Privacy Commissioner in the investigation report:
- establish a privacy management programme;
- appoint a data protection officer;
- adopt a policy on email communications; and
- instill a privacy-friendly culture in the workplace.
Concluding thoughts
This investigation report highlights features and failings that may well resonate with many medium-sized businesses. Have you implemented a password management policy? Do you have a system and process to remove all obsolete accounts of departed employees? Have you implemented multi-factor authentication for remote access to your systems? These failings resulted in a data breach for Nikkei China. However, there may be those among us who also need to consider these points.
We are in an era now when, in respect of information security, good is frequently not good enough. Security needs to be a consistent focus of senior management, with resources committed to ensuring that systems are robust, resilient and frequently reviewed, and people are properly trained to be aware of the risks and the good practices that can mitigate them. We, at Tanner De Witt, stand ready to help you.
Pádraig Walsh
If you would like to discuss any of the matters raised in this article, please contact:
Pádraig Walsh
Partner | E-mail
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
[1] Report published on this link
[2] DPP4(1), Schedule 1, Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong)