RegStream

The Office of the Privacy Commissioner for Personal Data (PCPD) today reported on its work in 2024 and published the investigation findings of the data breach incident of Oxfam Hong Kong (Oxfam).

Complaint Cases

In 2024, the PCPD received 3,431 complaints, which represented a slight decrease of 4% when compared to 3,582 cases in 2023. Of these complaint cases, nearly 90% involved complaints against private organisations or individuals (3,101 cases), while the remaining 10% were against public organisations or government departments (330 cases).

Enquiries

The PCPD received a total of 18,125 public enquiries in 2024. The figure increased by 14% when compared to 15,914 cases in 2023. The PCPD received 1,500 public enquiries on average per month. Among the public enquiries received in 2024, 27% related to the collection and use of personal data (e. g. Hong Kong Identity Card (HKID card) numbers and/or copies). The other main types of enquiries were about the complaint handling policy of the PCPD (11%), the handling of personal data in employment cases (6%), access to and correction of personal data (6%) and the installation and use of CCTV (5%), etc.

In 2024, the PCPD received 1,158 enquiries relating to suspected personal data frauds, which represented an increase of 46% when compared to 793 similar enquiries in 2023.

Data Breach Incidents

The PCPD received 203 data breach notifications in 2024, with 67 from the public sector and 136 from the private sector. The figure represented an increase of nearly 30% as compared to 157 data breach notifications in 2023. 67 data breach notifications were received from schools and non-profit-making organisations in 2024 (constituting 33% of all data breach incidents).

The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. In 2024, there were 61 data breach incidents that involved hacking (constituting 30% of all data breach incidents). The figure was similar to that of 64 cases in 2023 (constituting 41% of all data breach incidents).

The PCPD initiated 400 compliance checks in 2024, which is comparable to the 393 compliance checks in 2023.

Anti-Doxxing Regime

The provisions criminalising doxxing acts under the Personal Data (Privacy) Ordinance (PDPO) came into effect on 8 October 2021. The amendments empower the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations, institute prosecutions for doxxing- related offences and issue cessation notices to request the cessation of disclosure of doxxing messages.

Enforcement Actions in 2024

In 2024, the PCPD handled a total of 442 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure significantly dropped by 42% when compared to 756 cases in 2023. Among the aforesaid 442 doxxing cases, 335 of them were doxxing complaints received by the PCPD. The nature of disputes leading to the doxxing acts were mainly monetary disputes (46%), as well as family and relationship disputes (25%).

In the same period, the PCPD issued a total of 194 cessation notices to 20 online platforms to request the removal of 5,302 doxxing messages, with a compliance rate of over 96%. Other than individual doxxing messages, 58 doxxing channels were also successfully removed by the cessation notices.

The PCPD initiated 118 criminal investigations in 2024, and 40 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD arrested a total of 20 suspects. The means used by the suspected doxxers to dox the victims were mainly social media platforms and instant messaging apps (60%), and posters (20%).

Summary of Enforcement Actions under the New Anti- doxxing Regime

From the effective date (8 October 2021) of the relevant provisions to 31 December 2024, the PCPD handled a total of 3,326 doxxing cases. The PCPD also issued a total of 2,072 cessation notices to 53 online platforms to request the removal of 33,687 doxxing messages, with a compliance rate of over 96%. Other than individual doxxing messages, 250 doxxing channels were successfully removed by the cessation notices. The PCPD’s ongoing enforcement actions have greatly ameliorated the doxxing problem. In 2024, the number of doxxing cases uncovered by the PCPD’s proactive online patrols was 87, representing a significant drop of over 90% when compared to 1,134 cases in 2022 (i. e the first year after the commencement of the anti-doxxing provisions). 355 doxxing-related complaints were received by the PCPD in 2024, which represented a drop of over 40% (44%) when compared to the 630 complaints received in 2022.

From the effective date (8 October 2021) of the relevant provisions to 31 December 2024, the PCPD initiated 372 criminal investigations, and 103 cases were referred to the Police for further follow-up actions. As regards arrest operations, the PCPD arrested a total of 63 suspects in the same period (including three arrests made as joint operations with the Police). During the period, 41 prosecutions were made in respect of doxxing cases and there were 32 convictions.

The PCPD’s work on combatting doxxing acts has not affected the freedom of speech of members of the public, nor has it affected the lawful operation of online platforms in Hong Kong. The PCPD will continue to take resolute enforcement actions against doxxing acts to ensure that the personal data privacy of the public is adequately protected.

The Investigation Findings on the Data Breach Incident of Oxfam

The investigation arose from a data breach notification submitted by Oxfam to the PCPD on 13 July 2024, reporting that Oxfam had suffered from a ransomware attack which affected the information systems of Oxfam (the Incident).

The investigation revealed that the threat actor conducted brute-force attack, exploited the critical vulnerabilities in the firewalls of Oxfam (the Firewalls) to execute remote code and commands. The threat actor then obtained access to the Secure Sockets Layer Virtual Private Network (SSL VPN) command console and subsequently gained control of an IT tester account. After establishing a direct connection from the external network to Oxfam’s information systems via SSL VPN, the threat actor identified vulnerable servers within Oxfam’s network and gained administrator privileges in Oxfam’s Active Directory. They then performed lateral movement and intruded Oxfam’s servers and workstations and notebook computers.

On 10 July 2024, the threat actor deployed “DarkHack” ransomware in Oxfam’s information systems, resulting in file encryption and data exfiltration. A total of 37 servers and 24 workstations or notebook computers belonging to Oxfam were compromised in the Incident

, which included (i) File server system; (ii) Donor database and its staging server for data migration; (iii) Oxfam Trailwalker website database; (iv) Human resources systems; and (v) Active directory server.

The investigation revealed that over 330 GB of data was exfiltrated from the information systems of Oxfam, which potentially affected around 550,000 data subjects, including donors, event participants, volunteers, programme partners, programme participants, programme consultants, former and existing staff members, job applicants and governance members. The personal data affected included names, spouses’ names, HKID card numbers/copies, passport numbers/copies, dates of birth, phone numbers, email addresses, addresses, credit card numbers, and bank account numbers

(See Annex 1

for details).

Oxfam has notified the affected individuals of the Incident and implemented various organisational and technical improvement measures after the Incident to enhance the overall system security for the better protection of personal data privacy, such as implementing the recommendations on information security measures made by external consultants. Oxfam is also committed to update its IT policies to establish a comprehensive vulnerability management programme, including regular vulnerability scanning and penetration tests.

The PCPD thanked Oxfam for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the following deficiencies of Oxfam contributed to the occurrence of the Incident

(See Annex 2

for details):-

Outdated Firewalls which contained critical vulnerabilities;

Failure to enable multi-factor authentication;

Lack of critical security patches of servers;

Ineffective detection measures in the information systems;

Inadequacies of the security assessments of information systems;

Lack of specificity of its information security policy; and

Prolonged retention of personal data.

The Privacy Commissioner, Ms Ada CHUNG Lai- ling, considered that Oxfam is a well-established organisation that consistently holds and processes a significant amount of personal data pertaining to different individuals. Consequently, stakeholders and the public have a reasonable expectation that Oxfam will allocate adequate resources to protect its information systems and uphold proper data security standards. However, the investigation found that Oxfam did not implement sufficient and effective measures to safeguard its information systems prior to the Incident. Oxfam had also failed to establish an effective mechanism for the timely deletion of some personal data that were retained longer than was necessary. These deficiencies contributed to the occurrence of the Incident and the situation was regrettable.

Based on the above, the Privacy Commissioner considered that Oxfam had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1)  of the PDPO concerning the security of personal data.

In addition, the Privacy Commissioner found that Oxfam had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.

The Privacy Commissioner has served an Enforcement Notice on Oxfam, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in future.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2024.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2024.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left) and Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (right), elaborated on the PCPD’s work in 2024 and introduced the investigation findings of the data breach incident of Oxfam Hong Kong.

Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei explained the investigation findings of the data breach incident of Oxfam Hong Kong.

－End－

Annex 1

Data Breach Incident of Oxfam Hong Kong

The categories of data subjects and the types of personal data affected in the data breach incident of Oxfam are listed in the table below:-

Categories of data subjects

Estimated number of potentially affected data subjects[1]

Types of personal data that might be involved

(i)

Donors

521,130

Names, HKID card numbers, dates of birth, phone numbers, email addresses, addresses, credit card numbers, bank account numbers

(ii)

Event participants

87,831

Names, HKID card numbers, dates of birth, phone numbers, email addresses, addresses

(iii)

Volunteers

7,928

Names, phone numbers, email addresses, addresses

(iv)

Programme partners

472

Names, phone numbers, email addresses, addresses, bank account numbers

(v)

Programme participants

6,665

Names, phone numbers, email addresses, addresses

(vi)

Programme consultants

78

Names, HKID card numbers, phone numbers, addresses, bank account numbers

(vii)

Former and existing staff members

471

Names, spouses’ names, HKID card numbers/copies, dates of birth, phone numbers, email addresses, addresses

(viii)

Job applicants

746

Names, phone numbers, email addresses, addresses

(ix)

Governance members

103

Names, HKID card numbers/copies, passport numbers/copies, phone numbers, email addresses, addresses

Annex 2

Data Breach Incident of Oxfam Hong Kong

Deficiencies that Contributed to the Occurrence of the Incident

Outdated Firewalls which contained critical vulnerabilities: Oxfam had not performed any patching or updates to the Firewalls since June 2023. While two critical vulnerabilities associated with the Firewalls had fixes released in June 2023 and February 2024 respectively, Oxfam had not installed the latest available patches to the Firewalls at the time of the Incident. Consequently, the threat actor successfully exploited the vulnerabilities to execute remote code and commands, gaining control of the IT tester account used to connect to the SSL VPN, and ultimately gained access to Oxfam’s network and deployed the ransomware;

Failure to enable multi-factor authentication: While Oxfam was in the process of implementing two-factor authentication for SSL VPN, this critical security measure had not been completed before the Incident. The Privacy Commissioner was disappointed with Oxfam’s delay in implementing multi-factor authentication, especially given that Oxfam stored a substantial amount of personal data within its information systems;   

Lack of critical security patches of servers: which led to the exploitation of critical vulnerabilities that existed in four name servers within Oxfam’s information systems by the threat actor to gain access to the servers and escalate their privileges to install malware, encrypt files and exfiltrate data from the compromised devices in the Incident;

Ineffective detection measures in the information systems: Although there were multiple detections of activities of the threat actor prior to its successful intrusion into Oxfam’s information systems, which included suspicious activities such as unusual login attempts, Oxfam had failed to take any action. Oxfam explained that it was not alerted to the suspicious activities because of the absence of mechanisms to notify relevant teams or personnel. On the other hand, the endpoint security service designated to detect malicious activities within Oxfam’s network was compromised after the threat actor’s successful intrusion into Oxfam’s information systems, which rendered it ineffective in detecting and preventing the ransomware attack. Oxfam also lacked measures to regularly monitor and review its database or server logs to detect suspicious activities;

Inadequacies of the security assessments of information systems: Oxfam had conducted two vulnerability assessments on its websites within the two years prior to the Incident, but the scope of the assessments did not encompass the Firewalls and the name servers which contained critical vulnerabilities. Further, the IT security assessments conducted by Oxfam between February and March 2024 also failed to identify the vulnerabilities associated with the Incident, as the scope of the assessments did not encompass conducting a vulnerability scan or penetration test of Oxfam’s IT security environment;

Lack of specificity of its information security policy: Oxfam’s “Information Technology User Manual” lacked sufficient detail regarding crucial aspects of ensuring data security, including requirements and procedures concerning patch management, vulnerability management, security assessment and log monitoring, all of which contributed to the occurrence of the Incident. While the manual consisted of some guidelines on data security measures and principles to be adopted, the contents were generally broad principles, without providing specific guidance on how the principles should be implemented; and

Prolonged retention of personal data: Oxfam inadvertently retained some personal data for a period longer than was necessary, which included approximately 4,000 items of personal data (including names, addresses, phone numbers, and/or email addresses) relating to participants of programme activities that Oxfam held over seven years ago , 600 items of personal data (including names, dates of birth, phone numbers and email addresses) relating to unsuccessful applicants of one of Oxfam’s programmes held from 2021 to 2024, 50 items of personal data including identifications numbers and curriculum vitae of consultants retained for over seven years after completion of consultancy services, and 35 copies of HKID cards or passports relating to former governance board members.

[1]

According to Oxfam, the total estimated number is around 550,000 after removing the duplications in the datasets in Oxfam’s best efforts.