Investigation Report
Published under Section 48(2) of the Personal Data (Privacy) Ordinance
(Chapter 486, Laws of Hong Kong)
Ransomware Attack on the Servers of The Hong Kong Institute of Bankers
Executive Summary
Background
- On 11 January 2022, The Hong Kong Institute of Bankers (HKIB) notified the Office of the Privacy Commissioner for Personal Data (the PCPD) of a data breach incident, stating that six servers of HKIB containing personal data (the Servers) had been attacked by ransomware and maliciously encrypted, and that a hacker had threatened to upload the files in the Servers to the internet and demanded HKIB to pay a ransom to unlock the encrypted files (the Incident).
- On receipt of the aforesaid data breach notification, the PCPD immediately commenced a compliance check against HKIB to ascertain the relevant facts relating to the Incident. Upon receiving further information from HKIB, the Privacy Commissioner for Personal Data (the Commissioner) believed that HKIB's acts or practices in the Incident might have contravened the requirements of the Personal Data (Privacy) Ordinance, Chapter 486, Laws of Hong Kong (the Ordinance). In May 2022, the Commissioner commenced an investigation in relation to the Incident against HKIB pursuant to section 38(b)[1] of the Ordinance.
- ↑ Under section 38(b) of the Ordinance, where the Commissioner has reasonable grounds to believe that an act or practice relates to personal data, has been done or engaged in, or is being done or engaged in, by a data user may be a contravention of a requirement under the Ordinance, the Commissioner may carry out an investigation in relation to the relevant data user to ascertain whether the act or practice is a contravention of a requirement under the Ordinance.
1
