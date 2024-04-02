Last year, Cyberport, a government-funded technology hub in Hong Kong, fell victim to a cybersecurity attack, resulting in the theft of personal data belonging to 13,632 individuals. The Office of the Privacy Commissioner for Personal Data has now issued an enforcement notice to Cyberport, highlighting the urgency of implementing comprehensive security improvements.

Advertisment

Detailed Investigation Uncovers Major Flaws

An in-depth investigation by the privacy watchdog into the August cyberattack revealed that Cyberport had not taken adequate measures to secure its information systems. Among the victims were 8,000 staff members and 5,292 unsuccessful job applicants and former employees, whose sensitive data, including financial and personal identification information, was compromised. The breach was traced back to unauthorized access via brute force attacks, leading to the disabling of antivirus software and the encryption of files by ransomware.

Systemic Failures and Inadequate Policies

Advertisment

The investigation identified several critical lapses in Cyberport's cybersecurity defenses, including the absence of multi-factor authentication, reliance on a single antivirus program, and a lax data retention policy that led to the unnecessary storage of personal data. These deficiencies, coupled with a lack of regular security audits and specific operational guidelines for employees, made Cyberport's network vulnerable to sophisticated cyberattacks.

Comprehensive Measures Required

In response to these findings, the privacy commissioner has outlined a series of corrective actions for Cyberport to undertake. These include conducting thorough security checks, implementing multi-factor authentication, engaging an independent security expert for annual audits, and establishing clear guidelines for cybersecurity threat prevention, detection, and response. Cyberport is expected to comply with these demands by May 20, underscoring the critical need for immediate action to safeguard personal data and prevent future breaches.