The Hong Kong privacy watchdog on Thursday criticized two retailers for their inadequate privacy protection after major breaches led to the theft of the personal data of 140,000 clients and staff.
The two retailers are Japanese clothing company Adastria Co Ltd and the Kwong's Art Jewellery Trading Co Ltd and its subsidiary My Jewelry Management Ltd. Data hacks in both cases led to information such as the identity card numbers, addresses, and phone numbers of 140,000 clients and staff being leaked.
It has been found that both companies had weak password management systems, and that their administrator accounts had no multifactor authentication set up, said Hong Kong’s Office of the Privacy Commissioner for Personal Data in an investigation report covering the two leakage cases.
Ada Chung Lai-ling, privacy commissioner for personal data, said that about two months after the breaches occurred, the hacked personal data was made public and available for download on the dark web. There is also evidence indicating that the stolen data has been used for fraudulent purposes.
The companies involved were in breach of the Personal Data (Privacy) Ordinance, the office said, adding that it has issued enforcement notices to the companies and has instructed them to implement corrective measures.
Kwong's Art Jewellery Trading Co and My Jewelry Management reported to the commissioner in November that their database server had been hacked, resulting in the theft of data relating to approximately 79,400 clients and staff, including their current and former employees' names, identification numbers, phone numbers, addresses, and more.
The company has reset all user login passwords, updated the server’s operating system, antivirus software and firewalls, and notified the affected individuals.
The commissioner’s investigation found that the company was not aware of the security risks in their information system or that the server’s operating system was outdated, and didn’t promptly delete the accounts of former employees, revealing an ineffective approach to implementing security and detection measures.
READ MORE: HK privacy watchdog releases generative AI use guidelines
Adastria, a Japanese apparel group with famous brands such as niko and Global Work, suffered an unauthorized system breach by a third party in November. A hacker used the credentials of a current employee's administrative account to connect from an unspecified overseas IP address and download order data, resulting in the theft of the personal information of 59,205 customers.
