Hong Kong PCPD Publishes Investigation Findings on Oxfam Data Breach Incident

Introduction

In January 2025, the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) published an investigation report regarding a significant data breach incident reported by Oxfam Hong Kong (“Oxfam”) in July 2024 (“Investigation Findings”). The incident, which was caused by a ransomware attack, had affected the personal data of around 550,000 individuals, including donors, event participants, volunteers, programme partners, programme participants, programme consultants, former and existing staff members, job applicants and governance members. The Investigation Findings  focused on the importance of data users having effective data security measures and a robust cybersecurity defence against ransomware attacks. In this article we offer a summary and takeaways from this case.

Oxfam Data Breach

Background

The incident was caused by a ransomware attack that started with a brute-force attack by a threat actor, who exploited the critical vulnerabilities in Oxfam's firewalls to execute remote code and commands. The threat actor was able to remotely access Oxfam's Secure Sockets Layer Virtual Private Network ("SSL VPN") command console, obtained control of an IT tester account, and established a direct connection to Oxfam's information systems via the SSL VPN. Subsequently, the threat actor targeted vulnerable servers within Oxfam's network, performed lateral movement and penetrated Oxfam’s servers, workstations and devices.  Once inside, the threat actor deployed the "DarkHack" ransomware and encrypted files and proceeded to exfiltrate up to 330 GB of data. The affected personal data included names of affected individuals, spouse's names, Hong Kong Identity Card numbers/copies, passport numbers/copies, dates of birth, phone numbers, email addresses, addresses, credit card numbers, and bank account numbers. Following the incident, Oxfam informed the affected individuals of the incident and implemented measures to strengthen the security of its systems as recommended by external consultants.

Key Findings

The PCPD identified seven critical deficiencies in Oxfam's data protection measures that contributed to the breach:

1. Outdated Firewalls: Oxfam failed to install the latest available patches or update toits' firewalls since June 2023, even though fixes to critical vulnerabilities had been released. The threat treat actor was therefore able to exploit vulnerabilities in the system and obtained access to Oxfam’s network.
2. Lack of critical security patches of servers: Oxfam failed to install the latest security patches for its servers, so that the threat actor was able to exploit the servers critical vulnerabilities and install malware, encrypt files and exfiltrate data from compromised devices.
3. Failure to enable multi-factor authentication: There was a delay on the part of Oxfam in implementing two-factor authentication for its' SSL VPN. The implementation of this critical security measure had not been completed at the time the breach occurred.
4. Ineffective detection measures in the information systems: Oxfam lacked a functioning notification system of suspicious activities and did not perform regular monitoring or review protocols for its database or server logs to detect such activities.The PCPD noted that there were multiple detections of the threat actor's activities before it successfully infiltrated Oxfam's information systems, but there was no proper mechanism to alert relevant personnel of such suspicious activities. Oxfam was also unable to detect and prevent the ransomware attack with its compromised endpoint security service.
5. Inadequate security assessments of information systems: The vulnerability assessments conducted by Oxfam before the incident did not include an assessment of its Firewalls and name servers where critical vulnerabilities were found. Moreover, Oxfam's IT security assessments did not identify the vulnerabilities involved in the incident as the security assessments did not include a penetration test or vulnerability scans of its IT security environment.
6. Lack of specificity in information security policy: Oxfam's IT user manual only outlined broad data protection principles and did not provide specific procedures and requirements to ensure data security. In particular, the manual did not cover aspects such as patch management, vulnerability management, security assessment and log monitoring.
7. Prolonged retention of personal data: Oxfam retained more than 4000 sets of personal data for longer than necessary. The PCPD found that Oxfam lacked an effective mechanism for the timely deletion of personal data.

Given the above, the PCPD found that Oxfam contravened the following Data Protection Principles (“DPPs”) under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”):

• DPP 4(1) Data Security – Oxfam had not taken all practicable steps to ensure that personal data was protected against unauthorised or accidental access, processing, erasure, loss or use.
• DPP 2(2) Data Retention - Oxfam had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the original purpose of the use of such data.

The PCPD issued an Enforcement Notice against Oxfam, requiring it to remedy the deficiencies and violations identified in order to prevent similar breaches from occurring in the future.

Recent trend in relation to data breach incidents in Hong Kong

The Oxfam data breach incident is only one of the many examples of data breaches in Hong Kong in recent years. Statistics from the PCPD show that the number of data breach incidents in Hong Kong has been on the rise. In 2024, the PCPD received 203 data breach notifications, a nearly 30% increase from the 157 notifications received in 2023. Hacking has remained a prevalent cause of data breaches in 2024, which accounted for around 30% of the incidents reported that year. Other causes of data breaches include, loss of documents or portable devices, inadvertent disclosure of personal data (by email, post or fax), employee misconduct and system misconfiguration.

Takeaway

The Oxfam data breach incident highlights the significant risks associated with inadequate data security measures and data retention policies. Both private and non-profit organisations which hold a significant volume of personal data should closely monitor the fast evolving cyber threats landscape and continuously review and strengthen their data security and retention practices. Organisations should also adopt a clear and disciplined approach to data governance and data management and enhance organisation-wide training and awareness on data protection, and formulate and enforce effective data retention policies. 

 

The authors would like to thank Charmian Chan, Trademark Assistant at Mayer Brown Hong Kong LLP, for her assistance with this article