Skip to content

Newspaper Column

PCPD in Media

Data security must be enhanced to foil threats -- Privacy Commissioner's article in China Daily (October 2023)

The past few weeks have been digitally challenging for Hong Kong and the rest of the world. Two local public organisations have fallen victim to ransomware attacks within a remarkably short period of time.

On an international scale, a prominent hotel and casino chain suffered a disruptive hacking attack in which a staggering six terabytes of data were reportedly stolen from its computer systems. Indeed, Check Point’s 2023 Mid-Year Cyber Security Report, published this August, revealed that the second quarter of 2023 saw an 8% surge in global weekly cyberattacks, the most significant increase in the past two years.

The repercussions of these cyberattacks, including both the data leakage and the potential harms that may be inflicted on the data subjects, have undoubtedly raised significant concerns over online security and cybersecurity loopholes worldwide. As these incidents unfold, it has become vital to foster heightened vigilance and to take proactive steps to address the looming threat before another cyberattack hits.

Fallout from a Cyberattack
Ransomware attacks, which involve hackers encrypting a victim’s data and then demanding a ransom payment in exchange for the decryption key, are one of the most common forms of cyberattacks. We cannot overemphasise the impacts of a ransomware attack, which can be devastating for the organisation and individuals affected.

For organisations, the potential disruption to their information systems and even business services may entail significant financial losses as well as damage to their goodwill and reputation. Fundamentally, the payment of a ransom does not guarantee that the encrypted files will be released by the malicious actor. In some cases, the decryption of files does not mean the malware infection itself has been removed, meaning that organisations may incur additional costs to restore their information systems and files. The consequential loss of business data, which may include trade secrets or other intellectual property information, can be far-reaching.

The personal data leakage that may follow from a cyberattack affects data subjects to various degrees. In addition to the loss of sensitive personal data such as health records and credit card information, the exploitation of such information for illicit purposes, such as its sale on the dark web or its use in identity fraud, may cast a long shadow of potential harm and lingering concerns over the affected individuals.
Take Action Now 
Hackers nowadays no longer only target behemoths. Small- and medium-sized enterprises, which accounts for over 98.5% of the total number of enterprises in Hong Kong, have increasingly become the prey of hackers, who exploit their relatively weaker defences as compared with those of larger corporations. It is incumbent upon all organisations, irrespective of whether they are public or private or the scale of their operations, to take precautionary measures to strengthen the data security of their information systems to fend off malicious attacks.

Data Protection Principle 4 of the Personal Data (Privacy) Ordinance requires data users to take all practicable steps to ensure that any personal data held by them are protected against unauthorised or accidental access, processing, erasure, loss or use.

Organisations are recommended, for example, to regularly conduct data security risk assessments and to implement effective security measures to safeguard not only their information and communications systems but also the personal data in their control or possession to thwart potential attacks. They should consider securing their computer networks by using security devices or software such as firewalls and/or antimalware applications.

Organisations are also recommended to regularly conduct vulnerability assessments and penetration tests to detect existing or emerging threats, to implement patch management to fix security vulnerabilities in a timely manner, to encrypt data both in transit and at rest, and to separate database servers from web servers to protect internal servers in case the web servers are compromised.

In this regard, my office issued the “Guidance Note on Data Security Measures for Information and Communications Technology” in 2022 to provide data users with recommended measures to enhance data security and mitigate emerging threats. I believe that these practical measures can help organisations stay one step ahead of evolving cyber threats.

In addition to strengthening information security measures, heightened awareness and proper training and communication with staff are of equal importance, as a staffer’s simple click on a phishing link may lead to malicious attacks on the organisation’s information systems. As an organisational measure to enhance data governance, organisations should establish a personal data Privacy Management Programme to ensure their responsible collection, holding, processing, and use of personal data. They should also appoint a Data Protection Officer to ensure compliance with all legal and internal risk control requirements. Otherwise, as Benjamin Franklin said, “By failing to prepare, you are preparing to fail.”
Uniting for Cyber defense
The escalating number of cybersecurity incidents is a wake-up call to all. In the age of global digitisation, businesses and organisations, regardless of their scale, face similar risks of cyberattacks. It is imperative for all parties involved, including the management and employees of organisations, to unite and work hand in hand to proactively defend against the upcoming waves of cyber threats.

There is no better time to start than now.