Privacy watchdog finds ‘glaring deficiency’ in Hong Kong Ballet’s cybersecurity

According to the watchdog, the investigation into Hong Kong Ballet’s systems were prompted by a data breach notification submitted by the company on October 16 last year. The ballet said it had suffered from a ransomware attack on September 29, which affected four physical servers of its information systems.

Ransomware is a type of malicious software used by criminals to block access to computer systems through encryption. They then demand a ransom in exchange for decryption.

The investigation revealed that the initial attack on the company’s network occurred on September 15, when the outdated operating software of a server enabled a hacker to gain access to the company’s network.

The hacker then used various malicious tools and programmes to acquire passwords of the IT administrator and user accounts, and to obtain information about the network and details of computers connected to the network.

A domain administrator account was used by the hacker to deploy a ransomware called “LockBit” on the company’s information systems, which resulted in the encryption of files and exfiltration of data and files.

The watchdog said Hong Kong Ballet had estimated that the incident might have affected 37,840 people, including staff members, job applicants, ticket subscribers, guest artists, activity participants, donors, sponsors and vendors.

The personal data affected included names, ID card numbers, passport numbers, photographs, dates of birth, addresses, email addresses, telephone numbers, health information, bank account numbers, credit card numbers, and employment as well as academic information.

The company was found to have a “glaring deficiency” in its regular patching and updating practices, the watchdog said. The ballet’s server also had outdated operating software, while unnecessary exposure of the server to the internet during systems migration performed by the service vendor had also significantly increased the risk of cyberattacks.

It had also fallen short in security monitoring, with an absence of data security assessments and security audits of its information systems, the watchdog added.

The watchdog also carried out an investigation into a data breach incident at the Council of the Hong Kong Laureate Forum and found an initial attack had occurred on September 26 last year, ahead of the organisation’s inaugural forum held in November.

The investigation found that a hacker had obtained the credentials of a user account with administrator privileges through a brute force attack – a hacking method that uses trial and error to crack passwords – and gained access to its server before deploying a ransomware called “Elbie” to encrypt files contained in one server and seven endpoints.

The backup data stored in another server was also sabotaged by the hacker.

According to the watchdog, the incident affected the personal data of 8,122 people, including about 7,200 e-newsletter subscribers. The data included their names and email addresses.

About 920 others were also affected, including young scientist applicants, Shaw Laureate awardees and accompanying guests invited to the November forum, scientists and speakers, reviewers, and current and former staff members of the council.

The personal data compromised included names, addresses, email addresses, telephone numbers, passport information, full or partial passport or Hong Kong Identity Card (HKID Card) numbers, bank accounts, credit card information, dates of birth, places of birth, nationalities, resumes and transcripts, affiliated organisations and academic backgrounds.

According to the watchdog, the factors that led to the incident included deficiencies in the council’s information systems management, lax monitoring of data security measures, a lack of policies and guidelines on information security and insufficient data backup solutions.

Both the Hong Kong Ballet and the Council of the Hong Kong Laureate Forum had failed to take practicable steps to protect their systems from “unauthorised or accidental access, processing, erasure, loss or use of its data”, which contravened security requirements under the Personal Data (Privacy) Ordinance, the watchdog added.

They were served enforcement notices directing them to take measures that would prevent similar incidents from happening in the future.

Chung urged all organisations to take appropriate measures to protect information systems that contain personal data, including regularly conducting risk assessments of security systems and updating software, and using firewalls and other software to protect computer networks.