A private club failed to take all practicable steps to protect the personal data of its members following a ransomware-related data breach that affected more than 9,000 people, the Privacy Commission said following an investigation.

The probe was launched after the club had lodged a data-breach notification with the Office of the Privacy Commissioner for Personal Data on October 31.

The more than 9,000 people affected included Yau Yat Chuen Garden City Club’s 1,553 active members, supplementary card holders, former members and former supplementary card holders, the commission said on Thursday releasing its investigation report.

Personal details taken in the breach included full names, identity card and passport numbers, dates of birth, email addresses, contact numbers and addresses.

Commissioner Ada Chung said the breach stemmed from the club’s customer management system, which was rendered inoperable after an attack encrypted system files stored on a server.

She said the club retained some former supplementary card holders and former members’ personal data for longer than necessary – seven years after membership or the validity of cards expired.

Assistant privacy commissioner Alex Chan said the breach was linked to multiple security weaknesses, including outdated remote-access software with a known vulnerability, lack of user authentication for remote access, outdated antivirus and firewall protections, and weak organisational security measures.

"The vulnerability enabled the threat actors to compromise the account credentials used by the service provider to access the software," Chan said.

"This was further facilitated by the servers being left in a locked-in state without the implementation of additional authentications control."

Chung said the club had contravened the privacy law and been given an enforcement notice that required it to take remedial actions.

In response, the club said it has initiated remedial measures, including updating antivirus, firewall and the remote access software in the latest version of its system.

In a statement issued to members, the club said there was, to date, no evidence to suggest that any personal data has been leaked or disclosed to the public as a result of the breach.

"Nevertheless, we remain vigilant and advise all members to exercise caution regarding any suspicious messages, emails or telephone calls," it said.

The club said it had stepped up security measures, such as disabling for good the remote access software in question and having its designated personnel authorise remote technical support sessions.

It added that personal data stored in its servers was now encrypted, its hardware and cybersecurity protocols were upgraded and that it was in the process of changing its data retention policies.

Chung also urged organisations handling large volumes of personal data to regularly update software as soon as possible, use strong authentication, conduct security assessments and adopt clear data-retention policies.


Edited by Tony Sabine