Cyber Threats on the Rise: Dissecting the Common Themes Behind Recent Cybersecurity Incidents in Hong Kong

Introduction

Hong Kong has witnessed a notable surge in cyber breach incidents in recent years. The cyberattacks have affected various organisations across the public, private and non-profit sector. Cybersecurity incidents recorded a 65.2% quarter-to-quarter increase in 2024 Q1. In 2023, the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) received 272 complaints relating to security of personal data. Among the recently affected organisations, the Companies Registry, the Electrical and Mechanical Services Department and the Consumer Council were put under spotlight as public concerns over government accountability on its cybersecurity failure has been mounting.

Cybersecurity breaches can lead to loss of personal data, system suspension and eventually damage to reputation. Many of the organisations which suffered cyberattacks were found to have had lax security over their data and received enforcement notices from the Privacy Commissioner, as they failed to take all practicable steps to ensure that personal data was protected against unauthorised or accidental access, processing, erasure, loss or use. The Privacy Commissioner published a number of investigation reports, setting out her findings, and providing comments and recommendations on some selected ransomware attacks in Hong Kong. This article explores the common themes and patterns observed in the recently selected incidents, and sheds light on the measures that organisations can take to strengthen their cyber defence under the evolving cyber threat landscape.

Common themes

Lack of monitoring of the service vendors

Organisations often fail to monitor their third party suppliers’ compliance with service agreements, and are unaware of undelivered services and/or unfulfilled obligations until cyber incidents take place. Where a system update and/or a patch has not been delivered by a third party vendor, there are obvious vulnerabilities that can easily be exploited by a threat actor. An outdated firewall firmware and/or antivirus database are an open door into any network. Some service contracts fail to stipulate a risk management mechanism and/or impose adequate data security requirements on service vendors, such that the organisations are unable to identify security risks and system vulnerabilities to prevent cyber breach incidents in time.

Inadequate data security management

Some of the organisations that were victims of cyberattacks did not have adequate policies or procedures on patching or on server updates. A number of organisations were found to have outdated operating software, firewall firmware and antivirus software database which made them vulnerable to cyberattacks. Some organisations only had antivirus software that provides very basic protection, and failed to adopt multi-layered security measures to build a “defence-in-depth” that would detect and prevent intrusion at an early stage. Deficiencies in data security management were also found to lead to failure of proper configuration of cybersecurity solutions which made them unable to send email alerts after cyber threats were identified.

No multi-factor authentication for remote access

Brute force attacks, coupled with the lack of multi-factor authentication for remote access, are often the starting point of a cyberattack. Some recent cyber breach incidents started with a brute force attack where attackers cracked login credentials, passwords, or encryption keys by simply trying all possibilities on a trial and error basis. Cybercriminals gain access to user accounts with administrator privileges by way of brute force attacks, so that they can subsequently disable anti-malware protection, move laterally within the network and access and encrypt data. Many attackers gained access to organisation networks through remote desktop connections where multi-factor authentication for remote access to data had not been put in place.

Inadequate information security policy

Many of the companies that suffered cyber attacks had Information Security Policies. However, the majority of those who had such policies had principle-based information security policies that lacked specificity in operational procedures and guidelines, such that staff members did not have a concrete cybersecurity framework to follow. Apart from the general principles in the information security policy, a detailed guide should be in place which would articulate specific procedures or requirements regarding security controls, checks and updates, such as procedures on how security control should be conducted, and how often regular checks and updates should be performed, so that staff members can perform their duties by following concrete requirements.

Some organisations also failed to ensure that their staff members had a clear understanding of the protocols and their responsibilities under the organisations’ cybersecurity framework, and failed to enforce their cybersecurity policies (such as strong password policy and multi-factor authentication)

Insufficient security audits

Some organisations which suffered ransomware attacks did not conduct regular security assessments and security audits of their IT systems, such that they were unable to identify their system vulnerabilities before a cyberattack happened. Security audits give an organisation a thorough understanding of its system protection standards and level of compliance with existing policy and protocols, and should be conducted regularly and frequently depending on the size and risk profile of the organisation, and also before implementing any new IT systems or important system updates.

Going forward

The increasing frequency, pervasiveness and sophistication of cyberattacks require immediate action from organisations such as reviewing their existing cybersecurity framework and implementing adequate measures to safeguard their IT systems and protect the personal data they store in these systems. As pointed out in a survey report on enterprises’ cybersecurity readiness in 2023, businesses in Hong Kong are particularly weak in “security risk assessment”, “patch management”, “cyber threats protection” and “human awareness building”. The standards set out in guidance issued by the PCPD , including but not limited to the Guidance and Guidance Note on Data Security Measures for Information and Communications Technology, and the Guidance on Data Breach Handling and Data Breach Notifications can be a starting point on the road to developing a robust cyber program for any organisation.

Apart from adopting security measures to safeguard information security systems, organisations should also formulate an incident handling mechanism and line up an incident response team (including external cyber breach counsel) which can help the organisation to navigate the regulatory, business and reputational risks posed by a cybersecurity incident and mitigate the impact of such incidents.