Privacy Commissioner Ada Chung on Thursday criticised the Consumer Council over a data breach last year, saying the watchdog contravened the Personal Data Ordinance with its deficiencies.

An attack by hackers resulted in the leak of personal data on more than 450 individuals, including staff members and people who filed complaints with the council.

Chung's office said the council started allowing staff to connect to its server using a Virtual Private Network (VPN) when work-from-home arrangements were introduced during the pandemic.

But the council failed to enable multi-factor authentication for the remote access and a hacker group obtained the credentials of a user account before deploying ransomware in the council's servers and endpoints.

At a press briefing, Chung said the council had not taken all practicable steps to protect personal data.
 
"The protection given by this multi-factor authentication would be enhanced to over 99 percent if this feature is enabled," she said.

Chung added that two weeks passed before the council realised there had been a breach.

"The cybersecurity solution was supposed to send an email alert to the council once it detected any cybersecurity attack. However, in this case, after the incident the council discovered that the cybersecurity solution was not properly configured," she said. 

"That was why even though it detected the attack in question, it did not send any email alert to the council for this particular incident, and that was why the council only discovered the cyberattack on September 20 [last year]."

The Office of the Privacy Commissioner for Personal Data has served an enforcement notice on the council and has ordered it to submit proof within two months that it has adopted improvement measures.

In response, the council said it attaches great importance to cybersecurity and has adopted various measures since the incident. 

"[The measures include] enabling multi-factor authentication for remote data access via VPN, conducting a comprehensive review of the cybersecurity solutions' functions and appropriate settings, and further strengthening internal training to enhance staff's awareness and behaviour on cybersecurity," it said in a statement.