The Office of the Privacy Commissioner for Personal Data said on Thursday that it has issued an enforcement notice to the Hong Kong Institute of Bankers, following a data leak that affected more than 13,000 members and about 100,000 non-members.
Speaking at a press conference, the watchdog said people’s personal information was leaked in December 2021, following a ransomware attack on six of the institute’s servers.
The Privacy Commissioner, Ada Chung, said there were “serious deficiencies” with the institute’s handling of the matter, adding that it had violated the Personal Data Ordinance.
"The Institute did not enable the multi-factor authentication for the VPN to enhance system security. If it had enabled multi-factor authentication, it will not be so easy for the hacker to get access to the system," she said.
Chung urged organisations to conduct regular risk assessments and enhance information systems management to prevent similar attacks.
Meanwhile, Chung said the watchdog has received a surge in doxxing complaints since the relevant laws came into effect in late 2021.
It said it received 3,848 complaints last year, up 15 percent from 2021. More than half of the cases were doxxing-related.
"It is because we have carried out a series of promotion and publicity and educational activities in relation to the new anti-doxxing regime. As a result, we believe members of the public have a better sense," she said.
Chung said 95 percent of the complaints were about private organisations or individuals, while the rest were targetted at public organisations or government departments.