The Office of the Privacy Commissioner for Personal Data says a data breach incident by ImagineX has led to nearly 128,000 people’s information being compromised.

Failing to delete temporary accounts in a timely manner and the use of end-of-support operating systems were the main factors leading to the breach, the Office of the Privacy Commissioner for Personal Data (PCPD) said on Monday.

The privacy watchdog said in May it received a report from ImagineX Management, a brand management company, about a ransom note related to stolen personal data.

After an investigation, the office found that the hacker had exploited a temporary user account and then used it to access the company’s intranet.

Around 68GB of personal data – involving names, email addresses, phone numbers, birth months, genders and nationalities – of the nearly 128,000 people were compromised.

The PCPD said those affected were mostly from brands who participated in ImagineX Management ‘s two membership programmes.

So far, there’s no evidence indicating the stolen data is being circulated or misused, it said.

Chief personal data officer Brad Kwok said the company had set up a temporary account with remote access to fix a system problem but forgot to delete it afterwards.

“This allowed the threat actor to exploit the account to compromise the network 10 days after the account was set up,” he said.

“In the investigation, we also found that ImagineX lacked standard procedures for creating and managing temporary accounts.

"This made the deletion of the temporary account solely dependent on measures taken by individual staff members.”

He noted the company had also used an operating system that had no longer been updated since 2020, making it vulnerable to attacks.

It is also accused of having inefficient detection measures and not conducting sufficient security risk reviews and audits for its system.

The PCPD said it issued an enforcement notice to ImagineX as it contravened the data protection principle and urged the company to take measures to prevent similar contraventions.