Privacy watchdog finds ‘glaring deficiency’ in Hong Kong Ballet’s cybersecurity

Findings revealed of investigation into two breaches, the other at Council of the Hong Kong Laureate Forum, involving data of about 46,000 people

Reading Time:3 minutes

Both organisations failed to take steps to protect their computer systems and contravened security requirements under the Personal Data (Privacy) Ordinance. Photo: Shutterstock

Published: 3:40pm, 8 Aug 2024Updated: 6:38pm, 8 Aug 2024

The privacy watchdog has found major deficiencies in the Hong Kong Ballet’s cybersecurity measures, such as using outdated software and failing to conduct security assessments, which led to a data breach that compromised the personal information of nearly 38,000 people.

The Office of the Privacy Commissioner for Personal Data on Thursday also revealed findings of an investigation into another incident at the Council of the Hong Kong Laureate Forum, in which the names, email addresses and other information of more than 8,000 people were criminally accessed.

Privacy commissioner Ada Chung Lai-ling said: “Given the escalating risks, it is incumbent upon organisations of all sizes to strengthen their cybersecurity and data security to defend against malicious attacks and protect the personal data in their possession.”

According to the watchdog, the investigation into the Hong Kong Ballet’s systems was prompted by a data breach notification submitted by the company on October 16 last year. The ballet said it had suffered from a ransomware attack on September 29, which affected four physical servers.

Ransomware is a type of malicious software used by criminals to block access to computer systems through encryption. They then demand a ransom in exchange for decryption.

The investigation revealed that the initial attack on the company’s network occurred on September 15, when the outdated operating software of a server enabled a hacker to gain access to the company’s network.