Always Keep System Security Up-to-Date to Prevent Customer Data from Becoming Phishing Feeds
Local photo printing chain, Fotomax, fell victim to a ransomware attack and malicious encryption of its database in October last year, resulting in the leakage of over 600,000 customer data, including name, gender, date of birth, phone number, email address, contact address and delivery address. The Office of the Privacy Commissioner for Personal Data recently published an investigation report into the incident which found the company to be in breach of the Personal Data (Privacy) Ordinance, thereby issuing an Enforcement Notice to Fotomax, directing it to remedy and prevent recurrence of the contravention.
According to the investigation, the incident came about after Fotomax purchased a firewall in 2018 and enabled SSL VPN in the following year. The manufacturer of the firewall then revealed in its website a security vulnerability in the SSL VPN function. Users were urged to disable the SSL VPN function immediately until the operating system was updated and all account passwords were reset, and to enable multi-factor authentication. However, Fotomax did not update the system immediately, which subsequently led to the hacking of the system and leakage of customer data.
The incident reflects the importance of always doing a good job on system security. When learnt of potential threats, appropriate follow-up actions must be taken immediately, and any threats should never be treated lightly. Hence, System administrators should pay attention to the followings to enhance system security:
- To keep software, operating system, and anti-virus up-to-date and install security patches regularly, especially for systems exposed to the Internet (e.g., firewalls, VPN servers, etc.);
- Avoid using end-of-life products;
- Enable multi-factor authentication to protect network and system accounts;
- Refer to HKCERT’s Incident Response Guidelines for SMEs to establish and review security incident response plan;
- Refer to the concept of zero trust and network segmentation to reduce the attack surface and the scope of affected network;
- Back up all critical data, at least one local backup and one remote backup;
- Encrypt all sensitive data.
Also, as the incident involves leakage of personal data, HKCERT believes the data will be or has already been used for phishing attacks and scam incidents. The public is advised to pay extra attention to suspicious emails and calls. HKCERT also reminds enterprises and users:
- To pay attention to the spelling of the URL, carefully check for errors or suspicious elements, and verify the authenticity of the website;
- Not to assume that websites using the HTTPS protocol must be authentic and credible websites, and phishing websites can also use the HTTPS protocol;
- Not to open any links or attachments at will and think twice before providing personal information;
- To confirm the identity of the sender and the content before opening attachments and links in emails or instant messages;
- Regularly update the login password and enable multi-factor authentication for each account.
In addition, if the public has doubts about the phone number, email address, website URL and IP address, they can use the “Scameter” (https://cyberdefender.hk/en-us/scameter/) by CyberDefender to check whether they are frauds/online pitfalls or not.