The Office of the Privacy Commissioner for Personal Data (PCPD) has published investigation reports concerning two significant data breaches involving a jewelry retailer and a clothing company, compromising the personal information of approximately 140,000 customers and employees.
In the first case, a jewelry company and its parent organization reported a breach in November last year.
It was said that hackers had infiltrated their shared system, stealing and deleting data belonging to approximately 79,400 individuals. The compromised information included names, dates of birth, phone numbers, addresses, email addresses, and customer membership numbers, affecting both clients and current and former employees.
The attackers gained access by carrying out brute-force attacks on an administrator account that had been inactive for over 13 years. They then injected malware into a desktop computer used for internal system development and programming.
A second case involved the Hong Kong online retail platform of a Japanese multinational corporation.
Unauthorized third-party access led to the exposure of personal data belonging to 59,205 customers.
The hackers allegedly used credentials from a current employee’s account to connect via an unknown overseas IP address, enabling them to download order information containing names, phone numbers, and addresses.
Privacy Commissioner Ada Chung Lai-ling confirmed that the leaked data was identified on the Deep Web two months after the breach. There is also evidence suggesting that the information has been used for fraudulent activities.
Given the substantial volume of sensitive customer data involved, Chung emphasized the importance of organizations dedicating sufficient resources to strengthening data protection.
She recommended several security measures, including phasing out outdated software, strengthening password management protocols, and conducting regular security risk assessments and audits.
Both companies were found to have violated the Privacy Ordinance and were issued enforcement notices mandating immediate corrective actions.
The Office of the Privacy Commissioner for Personal Data (PCPD) has published investigation reports concerning two significant data breaches involving a jewelry retailer and a clothing company, compromising the personal information of approximately 140,000 customers and employees.
In the first case, a jewelry company and its parent organization reported a breach in November last year.
It was said that hackers had infiltrated their shared system, stealing and deleting data belonging to approximately 79,400 individuals. The compromised information included names, dates of birth, phone numbers, addresses, email addresses, and customer membership numbers, affecting both clients and current and former employees.
The attackers gained access by carrying out brute-force attacks on an administrator account that had been inactive for over 13 years. They then injected malware into a desktop computer used for internal system development and programming.
A second case involved the Hong Kong online retail platform of a Japanese multinational corporation.
Unauthorized third-party access led to the exposure of personal data belonging to 59,205 customers.
The hackers allegedly used credentials from a current employee’s account to connect via an unknown overseas IP address, enabling them to download order information containing names, phone numbers, and addresses.
Privacy Commissioner Ada Chung Lai-ling confirmed that the leaked data was identified on the Deep Web two months after the breach. There is also evidence suggesting that the information has been used for fraudulent activities.
Given the substantial volume of sensitive customer data involved, Chung emphasized the importance of organizations dedicating sufficient resources to strengthening data protection.
She recommended several security measures, including phasing out outdated software, strengthening password management protocols, and conducting regular security risk assessments and audits.
Both companies were found to have violated the Privacy Ordinance and were issued enforcement notices mandating immediate corrective actions.
Click Here For The Original Source.
