The Office of the Privacy Commissioner for Personal Data (PCPD) on Tuesday accused the South China Athletic Association (SCAA) of having inadequate policies and a lack of care, after a data breach affecting more than 72,300 members.

An attack by a hacker in March resulted in a breach of members’ personal information, including ID card numbers, passport details, phone numbers, photos and addresses.

The privacy watchdog said the SCAA accidentally exposed its servers to the internet, which the hacker took advantage of to infiltrate the network and launch the attacks.

The association was also accused of lacking a proper detection system for attacks. The watchdog said the attacker made over 20,000 attempts to log in to one of the servers for four hours, without being interrupted.

The PCPD said the same hacker had successfully installed malicious software on the sports organisation's system two years ago, although no data was stolen at the time.

Privacy Commissioner Ada Chung criticised the SCAA for failing to spot that attack until the data leak this year, saying it didn’t carry out regular checks or risk assessments

“The association, as a long-established sports association holding a significant amount of personal data, should be vigilant about cybersecurity and data security. I am very disappointed that the association failed to implement effective information system security measures to safeguard members' personal data prior to the incident.

“I believe that if the association had deployed sufficient detection measures or alert tools back in 2022, there would have been a good chance of detecting the malicious activities at the early stage of the [March] hacking attack,” Chung said.

The PCPD ruled that the SCAA violated the Personal Data (Privacy) Ordinance, and an enforcement notice was issued to the association to fix the issue.

In response, the SCAA said it acknowledged the investigation findings and will adhere to the PCPD’s enforcement notice.

It said it imposed a series of remedial measures after the incident in question, and pledged to prevent similar incidents from happening again.

Separately, the PCPD said it has observed a concerning rise in data breaches involving non-governmental organisations (NGOs) and schools.

The watchdog received 61 data breach notifications from schools and NGOs last year, an increase of about 1.5 times compared to 2022.

Chung said NGOs and schools often hold a lot of sensitive personal data, making them attractive targets for hackers.

She urged them to stay vigilant against cyber attacks and bolster their data security resources.