A former employee of a pet grooming company accessed the online retail system via the accounts of existing employees – DPP 4 – security of personal data
Background
A pet grooming company (the Company) reported to the PCPD that a former employee had accessed its online retail system (the System), which contained the personal data of more than a thousand customers, by using the login credentials of existing employees. The former employee subsequently sent messages to the customers inviting them to patronise another pet grooming company. The personal data involved included names, HKID Card numbers, dates of birth, email addresses, telephone numbers, employment records, and social media account information.
The Company revealed that the phone numbers of employees were used as default account passwords during account creation of the System. The employees, however, were verbally reminded to change the default passwords after the first login. The former employee, who was aware of the password management practice, exploited the passwords of other employees (i.e. their phone numbers) to gain remote access to the System after his departure from the Company.
Remedial Measures
Upon receipt of the notification from the Company, the PCPD initiated a compliance check and provided recommendations to the Company to ensure compliance with the provisions of the PDPO. To prevent the recurrence of similar incidents, the Company changed the account passwords of all employees, who would be further required to change their passwords under the witness of their supervisors on a half-yearly basis. In addition, randomly generated passwords comprising eight letters and numbers would be allocated to new recruits. Remote access to the System was also disabled.
Lesson learnt
With regard to password management, organisations should avoid using personal data (such as names, dates of birth and phone numbers, etc.) of staff members as default account passwords and should implement effective measures to manage user passwords. This includes setting rules for password length, complexity, and history, and ensuring that users follow best practices for password security. Organisations should also consider setting an account lockout threshold policy to limit the number of failed logins to information and communications systems, and to lock out the user accounts for a pre-determined period of time when the threshold has been reached.
(Uploaded in October 2025)