The Consumer Council identified an attack against its computer system in the morning of 20 September 2023. Taking immediate action in a prompt, responsible and transparent manner, the Council filed a report with the Police and proactively notified the Office of the Privacy Commissioner for Personal Data (PCPD), and has been providing voluminous amount of information and fully cooperating with their investigations over the past six months. The PCPD has completed its investigation and published a report today.
The Council attaches great importance to cybersecurity and has adopted various measures to enhance the security of its systems. Under the guidance and supervision of the Full Council, a series of response actions and measures was undertaken to strengthen security, including:
- Containment action was taken to protect and restore the Council’s IT systems immediately after the incident;
- Based on risk assessment, a press conference was held within 48 hours to proactively announce the incident and alert individuals potentially likely to be affected to stay vigilant, followed by individual notices and cybersecurity alerts;
- Forensic experts were engaged to inspect the systems and conduct in-depth investigation into the cause of the incident and whether any data was appropriated and, based on the experts' advice, containment and enhancement actions were taken to strengthen its IT security measures to prevent further cyberattack;
- Upon confirmation of the outcome of the forensic investigation, individual notices were responsibly issued to affected individuals and update notices were issued to provide reassurance to those confirmed to have been unaffected;
- A service provider was entrusted to continuously monitor the dark web on whether any information was appropriated and published.
The forensic investigation revealed that the threat actor illegally obtained credentials of an account with administrator privileges and gained access to the Council's computer system through a Secure Sockets Layer Virtual Private Network (SSL VPN). The forensic expert and the Council conducted investigation utilizing various technologies and multiple perspectives but still were not able to determine the reason why the threat actor was able to obtain the credentials. However, it is ascertained that the account has always deployed complex passwords without any sign of brute-forcing and the account credentials were not found on the dark web. According to the network traffic size over SSL VPN, which factored in traffic generated by the threat actor performing network scanning or remote administrative control over graphical interface, less than 1.5GB of data was affected.
Overall, only very limited personal data was affected, involving mainly 289 individuals who submitted complaints to the Council, including their names and primary contact details such as telephone number, email address or address contained in a spreadsheet prepared for complaint statistical analysis. No credit card, bank account and financial information was involved. In addition, the affected data included 138 current and 24 former staff members’ names, their divisions and office numbers contained in the Council’s staff directory list, a staff member’s contact information contained in a draft tender document of the Council and 26 vendor personnel contact information contained in the Council’s IT vendor list, the files of which were respectively stored on workstations of two staff members. The investigation has not been able to ascertain whether the information was downloaded, but according to the external dark web monitoring service provider, no affected information of the Council has been found to be published to date.
The Council attaches great importance to the PCPD's findings of the Council's shortcomings in personal data protection and its recommendations. The Council has conducted a range of rectification measures immediately after the incident, including enabling Multi-Factor Authentication (MFA) for remote data access via VPN, conducting a comprehensive review of the cybersecurity solutions’ functions and appropriate settings, and further strengthening internal training to enhance staff's awareness and behaviour on cybersecurity. The Council is also improving its IT policies and guidelines and engaging managed detection and response services provider to enhance its ability to defend against cyberthreats.
In the face of major challenges posed by increasing cybersecurity risks, upholding security is of paramount importance to the Council. The Council shall continue to improve its system of information and data security, adopt prevailing security technology and solutions, enhance personal data management, strengthen internal training, data management policies and guidelines, and conduct regular tests and reviews to enhance network system governance.
The Council reiterates strong condemnation of the threat actor’s illegal activities in gaining unauthorised access to its computer systems and data, and expresses deep apologies to all affected parties.