The local branch of the international charity Oxfam has been found in violation of data protection laws following a significant data breach that occurred in July and potentially impacted up to 550,000 individuals. This conclusion was reached by Hong Kong’s Privacy Commissioner for Personal Data in an investigation report released on Thursday.
In addition to the findings related to Oxfam, the report highlighted an alarming trend in data privacy incidents over the past year. There was a nearly 30 percent increase in breach notifications reported, contrasting with a notable 42 percent decline in cases of doxxing during the same period. This duality in data incidents underscores the shifting landscape of cybersecurity threats and the ongoing challenges faced by organizations in safeguarding personal information.
According to the Privacy Commissioner, Ada Chung Lai-ling, Oxfam failed to take sufficient measures to protect the personal data involved in the breach from unauthorized access, processing, or loss. The investigation specifically concluded that Oxfam Hong Kong had breached Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance with regard to securing personal data.
The report detailed the mechanics of the attack, revealing that the threat actor utilized ‘DarkHack’ ransomware, infiltrating Oxfam’s information systems, leading to file encryption and unauthorized data exfiltration. In total, 37 servers and 24 workstations within Oxfam’s network were compromised during this incident.
In response to the findings, Chung has issued an enforcement notice to Oxfam, mandating the organization to implement corrective measures to address the identified deficiencies in their data protection practices and to establish preventative protocols against similar incidents in the future.
From a cybersecurity perspective, this event can be analyzed through the lens of the MITRE ATT&CK framework, which assesses adversary tactics and techniques. Specifically, the initial access may have been gained through social engineering or exploiting vulnerabilities in Oxfam’s systems. The persistence and privilege escalation techniques likely facilitated the threat actor’s continued access to sensitive information despite existing security measures.
This incident serves as a critical reminder for organizations, particularly in sectors handling sensitive information such as charities and non-profit entities, to prioritize robust cybersecurity strategies and compliance with data protection regulations. As the landscape of digital threats continues to evolve, maintaining vigilance and proactive measures against potential breaches is imperative for safeguarding personal data and organizational integrity.
