Members' notification on data security incident (14 October 2022)

Dear members and students,

It has come to our attention that the Institute has encountered a data security incident (Incident), which may have resulted in unauthorized access to some of your data.

While not every member may have been affected by the Incident and the Institute’s investigation remains ongoing, we would like to make you aware of what has happened so that you can increase your vigilance.

Background

On 14 August 2022 (Sunday), the Institute fell victim to a ransomware attack. The Institute discovered that two servers were out of service, and that some end-user files were encrypted by an unknown third party. Subsequent forensic investigations (which are mentioned below) revealed that an unknown threat actor (TA) with a Russian IP address gained access to the Institute’s systems via a vulnerability in its remote desktop protocol service, and subsequently, deployed and executed self-propagating ransomware on the Institute’s systems.

There is no evidence that the Institute was targeted and it would appear to have been an indiscriminate attack by the TA in the hope of financial gain.

Actions undertaken

Immediately following the discovery of the Incident, the Institute took swift actions to contain the Incident, including:

       (i)  restoring the Institute’s systems to normal operation via backup files; and

       (ii) strengthening firewall parameters to block malicious activities.

The Institute also engaged a leading cybersecurity consultant (Consultant) for further support, including (i) providing technical support; (ii) conducting a forensic investigation; (iii) recommending any security enhancements; and (iv) monitoring dark web activity. To ensure the TA was no longer in the Institute’s systems, and to limit the risk of this kind of incident from re-occurring, additional containment measures were implemented with the Consultant’s assistance.

On 15 August 2022, core systems of the Institute resumed services; on 16 August 2022, the Institute’s systems fully resumed normal operation. Since 18 August 2022, no malicious activity in the Institute’s systems has been detected, nor does the TA pose any continuing threat to the Institute’s systems.

The Institute considers that the Incident has been contained and there has been no disruption to its daily operation.

Investigation findings

Based on an analysis of firewall logs, the Consultant found evidence of suspicious outgoing data traffic to a user account (Cloud Account) hosted by a third party cloud storage website (Website). The Consultant immediately demanded that the Website take down the data in the Cloud Account, resulting in the indefinite suspension of the Cloud Account. Data in the Cloud Account is no longer accessible by any party.

It was, however, recently confirmed that the TA accessed and exfiltrated certain files in the shared folders of the Institute’s network (Exfiltrated Data) and the Exfiltrated Data was transferred to the Cloud Account. Other than the Exfiltrated Data, there is no evidence that any other data in the Institute’s core and membership systems were accessed by the TA.

While the investigation remains ongoing, on the basis of current analysis, the Exfiltrated Data may include some of the members’ names, membership numbers, phone and fax numbers, physical addresses, email addresses, Hong Kong identity card numbers and, for a much smaller subset of members, credit card and bank account numbers. 

At present, however, there is no evidence that any Exfiltrated Data has been disseminated into the public domain or misused. The Consultant has been monitoring the dark web continuously to detect any unauthorized publication and/or use of the Exfiltrated Data; no such activity has been identified to date.

Notifying authorities

The Institute understands that our members will be concerned. The Institute has been engaging with all the relevant authorities, organizations and parties to help safeguard our members’ data.

As a precautionary measure, on 22 August 2022, the Incident was reported to the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data. The Institute will continue to assist and liaise with these authorities, and ensure that all of its statutory responsibilities are met.

Recommendations  

As stated, there is currently no evidence that any of the Exfiltrated Data has been misused. However, it is also generally important to be aware of the risk of scams and social engineering. These can occur when a fraudster contacts you impersonating the Institute or another business or government authority. They may attempt to scam you or trick you into disclosing other personal data or access credentials.

To protect your data, we recommend that you take the following precautions:

• Beware of any unusual logins of any registered accounts and personal emails;
• Change the passwords of the relevant accounts and enable two-factor authentication function (if available);
• Review your bank and credit card statements to spot any unauthorized transactions;
• Beware of any suspicious calls, text messages or emails or any calls, text messages or emails from unknown sources; and
• Beware of phishing or other possible scams, including anyone contacting you who requests personal data or access credentials from you, even if they appear to know some details about you.

Please rest assured that the security of our members’ data remains the Institute’s top priority. All necessary actions will continue to be undertaken to protect you and the Institute against any future cyberattacks.

Once again, the Institute understands your concerns, and sincerely regrets any inconvenience the Incident may have caused.

Yours faithfully,

Hong Kong Institute of Certified Public Accountants

Install the HKICPA Events app

Disclaimer: Some sections contain information from outside sources. We endeavour to link to reputable sources but the Institute is not responsible for the accuracy of the content and the content does not necessarily represent the views of the Institute.

This email together with the file(s) transmitted is intended solely for addressee(s) only and may contain confidential or privileged information. If you received this email in error, please contact the sender and delete it together with its attachment(s) from your computer(s). You should note that the views expressed in this email are those of the author and do not necessarily represent those of the Institute. The recipient should check this email and all attachments for the presence of virus. The Institute will not accept liability for any damage caused by any viruses transmitted with this email.

Manage communication preferences | Privacy policy | Personal information | Contact us

Copyright © 2022 Hong Kong Institute of CPAs. All rights reserved.