HKCert
Security Blog

Beware Personal Information Abuse

Release Date: 18 / 04 / 2018
Last Update: 18 / 04 / 2018

HKCERT is aware that an Internet service provider has disclosed a server breach incident, which caused personal information including name, email address, correspondence address, telephone number, HKID number and thousands of credit card information as of 2012 leakage.

 

Intruder may abuse the leaked information. HKCERT reminds user to be aware and apply proper security measures. For examples:

  1. Email address can be used for phishing attacks. So beware of suspicious email.
  2. Pay attention to the unknown credit card transactions.
  3. Other personal particulars may also be used in financial scam.

Enterprises should provide proper security measurements to protect personal data. Data leakage protection can be classified in 3 ways:

 

1. Protect Data

  • Remove sensitive data from retired servers;
  • Data encryption;
  • Regular data backup and ensure offline backup available;

 

2. Strengthen the System and Data Access Protection

  • Deploy server security patching regularly;
  • Restrict on authorized account and use of the least privilege principle;
  • Protect the administrator's login interface and system remote access services (such as RDP port 3389 and TeamViewer port 5938). It is recommended to use Two Factor Authentication to protect the connection;
  • Use Application Firewall to protect websites and database servers;
  • Periodic perform penetration Test and/or vulnerability scan;

 

3. Strengthen the System Security Design

  • Verify and validate user input in web application;
  • Place the web server and database server separately, the database server should be located on the internal network and only accept access from the internal network; and
  • Protect intranet computers to avoid becoming hackers' backdoors.