Cyber security breach: Hong Kong Privacy Watchdog Slams Canvas Owner

Hong Kong's privacy watchdog condemned Canvas owner for paying a ransom after a cybersecurity breach affecting 34,000 individuals. The Silicon Review reports on the "unsatisfactory" response and data deletion failures.

Hong Kong's privacy watchdog has strongly condemned the operator of the Canvas nightclub for paying a ransom to hackers following a cybersecurity breach that compromised the personal data of approximately 34,000 individuals.

The Office of the Privacy Commissioner for Personal Data concluded that Canvas Company Limited failed to take adequate steps to protect the personal information of its customers before the attack. The breach occurred when unauthorised individuals gained access to the company's cloud storage, exposing identity documents, addresses, phone numbers, and other contact details.

The hackers demanded a ransom, and the company paid it. The Privacy Commissioner's office stated that while the ransom payment was not illegal, it was a "commercial decision" that the watchdog could not approve or endorse. The incident highlighted the broader risks that ransomware attacks pose to data security in Hong Kong's entertainment and hospitality sectors.

In its investigation report, the commissioner's office also found that Canvas failed to take remedial measures after the breach. The company was ordered to delete all remaining customer data in its possession, but authorities found it had not fully complied with this requirement. The operator was also unable to provide a complete inventory of which specific data files had been affected, further complicating efforts to notify affected individuals.

The Privacy Commissioner criticized the company's overall response as "unsatisfactory," noting that the breach could have been prevented or its impact minimized if proper security measures had been in place. The commissioner urged all organisations handling personal data to implement robust security protocols, conduct regular risk assessments, and avoid storing unnecessary personal information.

The Canvas incident is part of a broader wave of ransomware attacks targeting Hong Kong businesses. The Privacy Commissioner's office has reported a 35 percent increase in data breach notifications in the past year, with the entertainment and retail sectors among the most vulnerable.

As Hong Kong's privacy watchdog condemns the Canvas owner for paying a ransom after a cybersecurity breach affecting 34,000 individuals, The Silicon Review examines how ransomware attacks are exploiting weak data protection practices in the city's nightlife industry & why regulators are demanding stronger safeguards.

Q: How many were affected by the Canvas cybersecurity breach?
A: The cybersecurity breach compromised the personal data of approximately 34,000 individuals, including identity documents, addresses, phone numbers, and other contact details stored in the company's cloud storage.

Q: Did the privacy watchdog approve of Canvas paying the ransom to hackers?
A: No. The Privacy Commissioner's office stated that while the ransom payment was not illegal, it was a "commercial decision" that the watchdog could not approve or endorse, and the company's overall response was described as "unsatisfactory."

Q: What failures did the investigation find in Canvas's response to the data breach?
A: The investigation found that Canvas failed to take adequate remedial measures after the breach, did not fully comply with an order to delete remaining customer data, and could not provide a complete inventory of which specific data files had been affected.

Q: What broader trend does the Canvas incident highlight in Hong Kong?
A: The Canvas incident is part of a broader wave of ransomware attacks targeting Hong Kong businesses. The Privacy Commissioner's office has reported a 35 percent increase in data breach notifications in the past year.

Q: What sectors are most vulnerable to data breaches?
A: According to the Privacy Commissioner's office, the entertainment, hospitality, and retail sectors are among the most vulnerable to ransomware attacks and data breaches in Hong Kong.

Q: What measures did the Privacy Commissioner Urge organisations to implement?
A: The commissioner urged all organisations handling personal data to implement robust security protocols, conduct regular risk assessments, and avoid storing unnecessary personal information to prevent or minimise the impact of data breaches.