The Office of the Privacy Commissioner for Personal Data (PCPD) has criticized the South China Athletic Association (SCAA) for its inadequate cybersecurity measures following a significant data breach that compromised the personal information of over 72,300 members. The breach, which occurred in March 2024, exposed sensitive data, including ID card numbers, passport details, phone numbers, and addresses. The PCPD found that the SCAA had inadvertently left its servers exposed to the internet, allowing hackers to infiltrate its network and execute the attack.
In its investigation, the PCPD discovered that the SCAA lacked an effective detection system to identify unauthorized access attempts. Reports indicated that the attacker made over 20,000 login attempts within a four-hour window without being interrupted. This oversight highlights the association’s failure to implement basic cybersecurity protocols, such as regular security checks and risk assessments, leaving its systems vulnerable to exploitation.
The PCPD noted that this was not the first time the SCAA had faced security issues; a similar incident occurred two years prior when a hacker successfully installed malicious software on the association’s systems, although no data was stolen at that time. Privacy Commissioner Ada Chung expressed disappointment at the SCAA’s inability to detect this previous breach, stating that proactive measures could have mitigated the damage from the recent attack. She emphasized the responsibility of the SCAA, as a long-established organization handling sensitive personal data, to prioritize cybersecurity.
In response to the PCPD’s findings, the SCAA acknowledged the investigation’s conclusions and has committed to adhering to the enforcement notice issued by the watchdog. The association stated it has implemented a series of remedial measures aimed at preventing future incidents. The PCPD also reported a concerning trend of rising data breaches among non-governmental organizations and schools, urging these entities to enhance their data security practices to safeguard sensitive information and protect against cyber threats.
Reference:
