Photo development company Kuutomei was hacked in 2021 to install ransomware encryption.
The Office of the Privacy Commissioner announced today (14th) an investigation report. The incident affected about 620,000 members and visitors. The investigation showed that the firewall purchased by Kuaitumei had a loophole in 2019, but Kuaitumei knew it and failed to follow it. Manufacturer instructs to deactivate, update or multi-factor authentication for Secure Socket Layer Virtual Private Networks (SSL VPNs).
Privacy Commissioner Chung Lai-ling pointed out that Kuitomei was "overly optimistic or even fluke about known risks", and the incident was regrettable.
Photo development company Kuutomei was hacked in 2021 to install ransomware encryption.
(the Internet)
The investigation report quoted Kuitomei as stating that the incident affected a total of 544,862 members and 73,957 visitors who had ordered products or services in its online store from November 16, 2020 to October 26, 2021, involving names, phone numbers , email and shipping address, etc.
Firewall makers announced vulnerabilities in 2019
Fastome disclosed that it purchased a firewall from a service provider in March 2018, installed and activated it in April, and then activated a secure socket layer virtual private network (SSL VPN) in March 2019 for Remote login for IT department.
In May 2019, firewall manufacturers stated that they noticed that hackers disclosed vulnerabilities in their operating systems, which could bypass security restrictions and directly obtain SSL VPN account names and passwords. and reset all account passwords, and it is recommended to enable multi-factor authentication.
+1
Kuaitumei: No fix for working from home during the epidemic
Until the morning of October 26, 2021, the information technology department of Fastome found that the online store and the database could not be accessed normally. In addition to the database, some servers and computers in the office were also encrypted by ransomware.
The two IT consultancies appointed by Fastome, respectively, believed that Fastome did not install patches, which led to hackers exploiting related vulnerabilities for extortion, and failed to enable multi-factor authentication for SSL VPN.
Kuatumei explained that in response to the new crown epidemic, the work-from-home arrangement was implemented, allowing employees to use SSL VPN to remotely access its systems. Kuatumei did not re-evaluate the relevant vulnerabilities, so the related vulnerabilities were not patched until the time of the incident.
Privacy Commissioner: It's a pity to get away with it
The Office of the Privacy Commissioner believes that Kuantome has misassessed the risk of security breaches. Even though the security vulnerabilities were known earlier in 2019, after an internal assessment, the security measures were deemed adequate and no action was taken. Information system for personal data, and does not implement multi-factor authentication function.
Privacy Commissioner Chung Lai-ling described Kuaitumei as "overly optimistic or even fluke with regard to known risks, obviously misassessing the risks posed by the relevant vulnerabilities to its information systems containing personal data, and the possible consequences of hacking. The consequences are unfortunate." The Privacy Commissioner has served an enforcement notice on Kuatumei in accordance with the Privacy Ordinance, instructing the rectification of the breach.
The 36-year-old male owner files a tenancy dispute. The privacy office arrests the tenant's photo, name and other personal information. Privacy Office: It is estimated that 290,000 Hong Kong people have criticized it for more than two months before reporting that a 46-year-old man was arrested by the Office of the Privacy Commissioner for money disputes. or smuggling vaccines uh bank details