The Office of the Privacy Commissioner for Personal Data on Thursday said outdated firewalls and ineffective detection measures led to the data breach incident at Oxfam Hong Kong last year.

In July, the organisation suffered a ransomware attack, affecting its information systems and resulting in file encryption and data exfiltration.

The privacy watchdog’s investigation revealed that over 330 GB of data was exfiltrated from Oxfam’s systems, potentially affecting about 550,000 subjects.

The leaked data included identity card and passport copies, credit card and bank account numbers of Oxfam staff members, donors, job applicants and governance members.

Privacy Commissioner Ada Chung said Oxfam had not updated its firewalls since 2023, and it failed to take any action despite multiple detections of suspicious activities prior to the incident.

“It is a very regrettable situation, because basically we found that the data security measures adopted by Oxfam before the incident were neither adequate nor effective,” Chung said.

“That was why it was relatively easy for the hacker to gain access into Oxfam’s system, because basically the firewalls were outdated, and some of the servers had significant vulnerabilities as well.”

Chung added Oxfam retained some personal data for a period longer than necessary, including multiple items being held for over seven years.

The watchdog said it served an enforcement notice on Oxfam, as it contravened the data protection principle, in which the organisation will have to take measures to prevent similar contraventions in the future.