What we learned from the WebSAMS data breach

26Jan2020

Nine schools in Hong Kong were attacked in a recent cybersecurity incident, resulting in a data breach for four schools. Pádraig Walsh from the Personal Data Privacy and Cybersecurity practice group of Tanner De Witt reviews what happened, and what general guidance can be learned from the incident.

On 8 November 2019, the cloud platform monitoring system of the Education Bureau detected irregularities in the WebSAMS[1] of a school. Further checking showed that the system of the school had been attacked. There was no data leakage. Steps were taken to stop the attack and to protect WebSAMS from being further affected. A new version of WebSAMS was released on 13 November 2019. The Education Bureau sent a notice advising schools to update their WebSAMS to the new version. Subsequently, nine schools reported irregularities to the Education Bureau. After investigation, it was confirmed that the WebSAMS of these schools were attacked by a source outside the school networks. A data breach occurred in respect of four of the schools, including the loss of personal data of teachers and students (but no financial data).

The schools issued notices to inform the parents and their staff the types of personal data that might have been leaked. The Education Bureau requested the schools to report the incident to the Hong Kong Police Force and to notify the Office of the Privacy Commissioner for Personal Data. The schools must also strengthen the security of their systems according to recommendations of the Education Bureau.

This data breach incident is interesting for three reasons:

  1. The Education Bureau recommended the schools to report the data breach to the Privacy Commissioner. This prompting may have been needed because there isn’t a mandatory requirement under law to report data breaches to the Privacy Commissioner. It is best practice to do so, but reporting is still technically a matter of discretion for the data user. This is likely to change soon, as mandatory data breach notification is one of the key changes in recently published legislative proposals.

  2. The personal data leaked in the data breach included personal information of teachers and students. Data users are required to implement security features that are proportionate to the nature and classification of the categories of personal data they hold. In general, the standards of protection required for children’s personal data is higher, because of their more vulnerable position in society.

  3. The Education Bureau acted quickly. A new version of WebSAMS resolving the vulnerability was released within five days. Still, nine schools were affected by the incident and four suffered data breaches. All management, but in particular IT management, must be vigilant to immediately install upgrades and patches to address cybersecurity issues.

No financial information such as credit card data was part of the data leak. However, it would be unwise to adopt a relaxed approach for personal data that does not contain financial information. Data is the currency of our age. Also, certain kinds of personal data are particularly sensitive and warrant high levels of vigilance and security.

Cybersecurity incidents are becoming more prevalent now, and are no longer a risk reserved just to governments and big business. Holding personal data is a responsibility. A core data protection principle is that data users must take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Ultimately, if you hold personal data of persons under your management or care, you must protect and preserve the security of that personal data.

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.


[1] WebSAMS is a web-based application system developed by the Education Bureau and provided to schools under their supervision to assist in their administration and management processes, and to enable electronic communication between schools and the Education Bureau.