- HKIB also admitted that it had not conducted any vulnerability scans on all internet-facing servers, applications and endpoint devices before the Incident and pointed out that the Service Provider did not advise HKIB to perform vulnerability scans. Nevertheless, HKIB reiterated that it did continuously monitor the service level of the Service Provider. Before renewal of the services agreement each year, the manager of the IT Department would conduct an annual assessment which would be endorsed and approved by the General Manager and the Chief Executive Officer.
Findings and Contravention
HKIB being the Data User
- HKIB in its daily operation collects, holds, processes and uses the personal data in the Servers. HKIB is therefore a data user[1] as defined under section 2(1) of the Ordinance and is required to comply with the requirements of the Ordinance, including the six Data Protection Principles (DPPs) set out in Schedule 1 to the Ordinance.
The Commissioner's understanding of the Cause of the Incident
- Having reviewed the investigation report of the Consultant, the responses from HKIB to the Incident and all the information obtained by the PCPD during the course of investigation, the Commissioner agreed with the investigation report that the Incident was caused by HKIB's failure to patch the affected system due to the lack of patch management procedures, which allowed the hacker to exploit the Vulnerability, get hold of its SSL VPN account names and passwords, intrude into the system to obtain system administrative privileges, deploy ransomware and subsequently succeed in encrypting the Servers. Meanwhile, HKIB did not enable multi-factor authentication for SSL VPN to enhance the security of the system.
- ↑ Under section 2(1) of the Ordinance, a data user, in relation to personal data, means "a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data".
5
