Hong Kong’s privacy watchdog has criticized the South China Athletic Association (SCAA) for poor cybersecurity practices following a data breach in March 2024 that exposed the personal information of 72,315 individuals.

The Office of the Privacy Commissioner for Personal Data (PCPD) stated that the sports club failed to implement effective security measures, which left sensitive data, including Hong Kong ID numbers, phone numbers, addresses, and photos, vulnerable to cyberattacks.

“I am very disappointed that the association failed to implement effective information system security measures to safeguard members’ personal data prior to the incident,” said Privacy Commissioner Ada Chung Lai-ling.

The breach occurred when unauthorized access to the SCAA’s computer servers allowed hackers to potentially steal members’ information. The affected data subjects were primarily club members whose personal details were stored on the association’s systems.

Following the attack, the SCAA took immediate action by shutting down the compromised servers and collaborating with cybersecurity experts to assess and repair the damage. However, the association’s response has drawn criticism for not adequately protecting members’ information in the first place:

  • Major Security Deficiency: The server was accidentally exposed to the internet, significantly increasing the risk of a cyberattack.
  • Lack of Detection Measures: The association had no effective system for detecting malicious activities, allowing the hacker to infiltrate the network for over two years.
  • Failed Intrusion Lockout: The hacker made over 43,400 login attempts on an administrator account, with 20,000 attempts recorded within a four-hour window. The association had not enabled the lockout function for repeated failed login attempts.
  • Absence of Security Policies: The club lacked multi-factor authentication for administrator accounts, had no information security policies, and failed to conduct regular risk assessments or security audits.

The Privacy Commissioner emphasized the need for much more stringent cybersecurity policies, citing the growing trend of hackers targeting corporations with large amounts of personal data.