- However, from the activation of SSL VPN in January 2021 to the time of the Incident, HKIB still had not implemented multi-factor authentication to prevent hackers from using the leaked passwords to attack its system.
- Having considered all the evidence of this investigation, the Commissioner considered that HKIB:-
- failed to effectively manage data security risks, including failing to formulate patch management procedures, which resulted in the failure to patch the Vulnerability in a timely manner, thus allowing the hacker to successfully intrude into the system through the Vulnerability and encrypt the Servers;
- failed to properly manage the information system which contained personal data, including insufficient coverage of penetration tests and lack of effective antivirus software, which resulted in the system being unable to guard against hackers from attacking the Servers through the use of ransomware; and
- failed to implement multi-factor authentication for SSL VPN as recommended by the Firewall manufacturer before the implementation of work-from-home arrangements to prevent hackers from attacking the system using the passwords acquired.
- In this case, the Commissioner found that there were apparent deficiencies in the data security risk management and the personal data security measures of HKIB, which led to the ransomware attack on its Servers which contained personal data. The Commissioner considered that HKIB lacked effective data security risk management mechanism and adopted a lax approach towards service providers in the maintenance of critical network infrastructure. As a result, the security measures of the information system which contained personal data were ineffective in addressing cybersecurity risks and threats. To conclude, the Commissioner considered that HKIB had not taken all
8
