Unauthorised access to membership database – DPP 4 – security of personal data
Background
An education institution (the Institution) reported to the PCPD that a hacker had exploited a security vulnerability of its plugin software to gain unauthorised access to a membership database on its web server, thereby exfiltrating the personal data of around 1,000 members, including their names, addresses, email addresses, and mobile phone numbers.
Remedial Measures
Upon receipt of the notification from the Institution, the PCPD initiated a compliance check and provided recommendations to the Institution to ensure compliance with the provisions of the PDPO. In response to the incident, the Institution suspended the use of the plugin software and ceased storing personal data in the database involved. In addition, the Institution conducted a review on all its plugin source code and patched the vulnerabilities, along with the deployment of a monitoring mechanism on the change of data in the membership database.
Lesson learnt
While plugin software brings benefits and convenience to information systems, it also increases the risks of information security, including security vulnerabilities, malicious code and improper access control, which may lead to data breach incidents. Organisations with plugin software incorporated in their information systems should take measures to minimise such risks, including installing plugin software only from trusted sources, performing periodic updates and vulnerability scanning exercises for the plugin software, implementing effective access control, and evaluating whether the organisational and technical measures for data security that are originally in place are adequate to mitigate the extra risks associated with the use of plugin software.
(Uploaded in October 2025)