HKCert
Security Blog

Security and Privacy by Design - Crucial to Web Application

Release Date: 10 / 11 / 2018
Last Update: 11 / 11 / 2018

HKCERT is aware that some sensitive information were public accessible from an online application system of a sport event. Personal information including applicant name, part of HKID, address and telephone number were leaked. 

 
Although that vulnerable web application was stopped and remediated once the data leakage were discovered, it is an alert again to all organizations and web application developers the importance of securing your web applications and protection of privacy. HKCERT, once again, urges all organization should apply “Security and Privacy by Design” in their software development life cycle (SDLC) and follow the Six Data Protection Principles ("DPPs") of PCPD – DPP4 - Data Security Principle.
 
As lessons learnt from this incident, regular and earlier security assessment, identify and rectify security vulnerabilities, especially before the production launch, could discover the design flaw earlier. Data encryption and stored the sensitive information in the internal server would also be a fundamental protection measures to any web application.
 
The sport event applicants should pay attention to possible scam. If you suspect there is any criminal offense due to the theft of personal information, report to the Police as soon as possible.
 
To learn more about how to secure your web servers, web applications and database servers, please refer to "Guideline of Web Security" Security Guideline provided by us.
 
Other reference: