South China Athletic Association Criticized for Lack of Care Leading to Data Breach

As the digital landscape evolves, data breaches have become increasingly more prominent. In Hong Kong alone, data breaches have increased by 51% in the second quarter of 2024 compared to the previous quarter. Despite several regulations and laws, many companies do not have the capacity or care to properly prevent data breaches. This became an unfortunate reality for the South China Athletic Association (SCAA), a non-profit sports organization in Hong Kong after a report found that its recent data breach incident was caused by poor cybersecurity measures.

In this blog article, we look at the impact of the SCAA data breach, the specifics of the Privacy Commissioner for Personal Data (PCPD) report, and the Personal Data (Privacy) Ordinance. We also look at previous cyber-attacks on sports clubs and how organizations can prevent them in the future. For now, let’s get a better understanding of the SCAA data breach that took place earlier this year.

South China Athletic Association Data Breach

On the 17th of March 2024, the South China Athletic Association (SCAA) suffered a cyber-attack by unauthorized third parties. According to the organization, the data breach affected its computer servers and exposed the personal data of 72,315 SCAA members - including names, Hong Kong identity card numbers, passport numbers, photos, addresses, phone numbers, and email addresses. The SCAA expressed deep regret over the cyber incident in its official press statement and outlined immediate response actions which involved shutting down affected computer equipment to mitigate potential risks to member data security.

The SCAA also informed law enforcement and submitted a formal report to the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong. The PCPD then launched an investigation into the incident and urged the SCAA to notify affected individuals while adhering to established protocols. However, the findings of the report were recently released and revealed a distressing picture of the SCAA’s cybersecurity posture.

The PDPD Report on the SCAA Data Breach

On the 22nd of October, Privacy Commissioner Ada Chung Lai-ling and Chief Personal Data Officer Brad Kwokl Ching-hei introduced the findings of their investigation into the South China Athletic Association data breach. The watchdog association found that the sports club was in violation of the Personal Data (Privacy) Ordinance and had insufficient cybersecurity measures in place – which all directly resulted in the March data breach. Shockingly, Chung further revealed that the hackers had installed malware on the SCAA system as early as January 2022, but the association failed to spot it until the data breach in March. So, let’s see how the SCAA data breach actually unfolded.

How Did the SCAA Data Breach Occur?

The investigation into the SCAA breach revealed that the hackers had installed malware on an SCAA server connected to the internet in January of 2022 – but that no malicious activity took place at the time. However, in March of this year, the hackers infiltrated the network and installed remote control software, then used ransomware to encrypt the files with members' personal information. The hackers then launched brute force attacks on the network and carried out several other malicious activities– including network reconnaissance, defense evasion, disabling anti-virus and anti-malware software, installing credential harvesting tools and lateral movement, and eventually encryption of files.

The hacker was also found to have used a computer program to generate several passwords to gain access to the SCAA system. On the 15th and 16th of March, the hackers conducted over 43,400 login attempts through brute force attacks on SCAA server administrator accounts. Chung further noted that the sports club’s IT system did not have a lockout feature to deter hackers’ attacks following unsuccessful password entries – effectively allowing them to attempt 20,000 logins within four hours.

According to the media statement released by the PCPD, the investigation found that a total of eight servers, one data storage device, and 18 computers belonging to the SCAA were attacked and encrypted by a variant of the Trigona ransomware. The hacker then demanded a ransom from the sports club to decrypt the files. Chung presented that the club’s failure to undertake the necessary steps to protect members’ information was in violation of the Personal Data (Privacy) Ordinance – put in place to protect users’ privacy. Chung went on to list six deficiencies in the SCAA framework that contributed to the data breach. These included:

• Accidental exposure of the relevant server to the Internet. This allowed the hackers to use the server as a “stepping stone” to infiltrate the network and launch the ransomware attacks.
• A lack of effective detection measures. This directly led to the 2022 malware going undetected for 2 years.
• Failure to enable Multi-Factor Authentication (MFA) for administrator accounts. This allowed the hacker to access the operating system of the compromised server without any additional identity verification and carry out various malicious activities.
• Lack of policies and guidelines on information security. This ensured that the organization failed to provide comprehensive and concrete security review requirements and procedures on information systems for staff members to follow. The SCAA also failed to formulate password policies and implement intruder lockout.
• Absence of regular risk assessments and security audits. This resulted in the failure to make improvements based on feedback.
• Lack of offline data backup solutions. This allowed the hacker to encrypt personal data files and made data recovery more difficult.

Chung used these assessments to conclude that the SCAA’s awareness of the need to protect the personal data of its members was weak. To further explore the incident, let’s take a look at the impact of the breach as well.

The Impact of the SCAA Data Breach

The SCAA data breach resulted in the leaking of the personal data of 72,315 SCAA members. The PCPD office noted that the South China Athletic Association (SCAA) had failed to take all practicable steps to protect the personal data of members before the breach occurred in March. Chung further admonished the SCAA and stated that as a long-established sports association holding a significant amount of personal data, it should be vigilant about cybersecurity and data security.

The investigation further found that the club’s failure to undertake the necessary steps to protect members’ information was in violation of the Personal Data (Privacy) Ordinance and the PCPD office issued an enforcement notice to SCAA - requiring that the organization annually review the necessity of connecting personal data systems to the internet, regularly inspect and update detection and alert tools, and hire independent information security experts for annual risk assessments and security audits. The SCAA was given two months to submit proof of improvement measures.

In response, the South China Athletic Association (SCAA) released a statement to acknowledge the Investigation Findings issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong in respect of the Data Breach Incident. The organization states that it has imposed a series of remedial actions immediately after the incident and will adhere to the Enforcement Notice of the PCPD to continuously strengthen its Cyber Security level and prevent breaches from happening in the future. To fully understand the effects of this violation, we’ll now explore the specifics of the Personal Data (Privacy) Ordinance.

What Is Personal Data (Privacy) Ordinance?

The Personal Data (Privacy) Ordinance was passed in 1995 and is one of Asia’s longest-standing comprehensive data protection laws. The law generally governs the methods of collecting and using personal data – preventing any abuse of data that is considered as intruding on an individual's privacy. The PDPO applies to both the private and the public sectors and is technology-neutral and principle-based. The regulation has undergone several amendments throughout the years to effectively protect user data and privacy – particularly to combat doxing acts. Just recently, Chung noted that her office had been studying amending the Personal Data (Privacy) Ordinance to give the watchdog more teeth.

The proposed major changes to the regulation include empowering the privacy watchdog to impose administrative fines, making the reporting of data leak incidents mandatory, requiring companies to devise data retention policies, and also increasing penalties. Chung maintained that the aim is to enhance privacy protection while keeping business operations running. In the PCPD briefings on the SCAA incident, Chung also noted a rising trend in data breach incidents reported by schools and non-profit organizations - accounting for approximately 40% of the 157 incidents reported last year. Let’s get a better understanding of these incidents in the past.

History of Cyber-Attacks On Sports Clubs

Sports clubs form part of a vulnerable sector in charge of large amounts of private data. These organizations are often a popular target for hackers due to insufficient cybersecurity measures. These are some examples of sports clubs’ cyber-attacks in the past:

New York Sports Club Data Breach

In September of 2024, New TSI Holdings, Inc. d/b/a New York Sports Club filed a notice of data breach after discovering that an unauthorized party was able to access information stored on the company’s computer network. In the data breach notice, the New York Sports Club explained that the incident resulted in an unauthorized party being able to access employees’ sensitive information - including their names, Social Security numbers, and passport numbers.

Manchester United Ransomware Attack

In November 2020, the English football club, Manchester United, became the victim of a ransomware attack that disrupted the club’s digital operations. Hackers then demanded a ransom payment in exchange for decrypting the data and restoring access to the club’s computer systems. The club’s systems were taken offline to mitigate the damage and stop the ransomware from spreading further across the network. Eventually, the incident was resolved and systems were restored without paying the ransom fee.

French Basketball Data Breach

October 2023 spelled trouble for the French basketball team ASVEL when they fell victim to a data breach orchestrated by the NoEscape ransomware gang. The cyber-attack resulted in the exposure of 32GB of sensitive data - including player’s passports, identity documents, contracts, confidentiality agreements, and other legal documentation.

Spanish Football Club Breach

In 2023, the Real Sociedad soccer club became the victim of a cyber-attack that compromised servers storing sensitive data. This exposed names, surnames, postal addresses, email addresses, telephone numbers, and even bank account details of subscribers and shareholders.

These incidents are cause for concern and emphasize the vulnerability of the sporting industry to cyber-attacks. To avoid making mistakes like the ones made by the South China Athletic Association, the clubs and organizations need to follow strict cybersecurity protocols and invest in elevated security measures. To make this easier, we’ve listed out some best practices to help out.

Best Practices for Organizations to Prevent Data Breaches

While data breaches might seem like an unavoidable tragedy in the modern age, companies need to take their cybersecurity seriously to avoid becoming the next statistic. As Privacy Commissioner Chung stated in the SCAA briefing, any organization that holds personal data, regardless of its size or industry, should keep abreast of the latest developments in data security and adopt appropriate data security measures to protect the personal data in its possession. Here are some tips and tricks amended by advice from the PCPD to ensure that your organization remains protected in the future:

• Installing an effective Ransomware Protection Solution will protect your data from within the system and help to detect anomalies ahead of time.
• Regularly updating software and patches to stay protected from vulnerabilities.
• Using strong passwords and Multi-Factor Authentication will ensure effective access control across your network.
• Educating staff members and implementing cybersecurity awareness programs to avoid social engineering attacks or data mismanagement.
• Sticking to laws, regulations, and policies based on data privacy and security – such as the Personal Data (Privacy) Ordinance.
• Maintaining transparency about security incidents with authorities, the public, and your cybersecurity provider.
• Conducting regular security assessments and audits to find flaws or vulnerable areas in your network.
• Encrypting all your personal data files and using proper backup and recovery methods.
• The PCPD also encourages organizations to take note of the recommendations contained in the “Guidance Note on Data Security Measures for Information and Communications Technology” and the “Guidance on Data Breach Handling and Data Breach Notifications” to prepare themselves against any cyberattacks and to enhance cybersecurity and data security.
• Investing in advanced cybersecurity from Sangfor Technologies.

The best way to steer clear of data breaches and their effects is to invest in the right infrastructure to fortify your organization’s cybersecurity. Sangfor offers advanced, innovative, and affordable cybersecurity solutions and cloud infrastructure to maintain a secure, efficient, and reliable system.

• Sangfor’s Endpoint Secure provides a modern Endpoint Protection Platform (EPP) that combines antivirus, Endpoint Detection and Response (EDR), and endpoint management capabilities into a single solution.
• The world’s first firewall platform to combine AI Technology, Cloud Threat Intelligence, NG-WAF, IoT Security, and SoC Lite - Sangfor Network Secure seamlessly eliminates over 99% of external threats at the network perimeter.
• Additionally, Sangfor’s Anti-ransomware platform is the only security solution that addresses the entire life cycle of ransomware attacks while using AI and the synergy between Network Secure and Endpoint Secure to detect and block ransomware attacks in just 3 seconds.
• Lastly, Sangfor Security GPT is the groundbreaking innovation that merges Generative AI with advanced cybersecurity to enhance detection accuracy and operational efficiency. The platform speeds up investigation, enables proactive threat hunting, and streamlines incident responses through simple chat-based interactions - harnessing data from over 20,000 real-world devices and constantly learning and evolving to stay at the forefront of security detection and investigation

Ensure that your organization sticks to the rules and invests in the correct cybersecurity protocols and measures to avoid being the victim of a data breach. Allow the South China Athletes Association data breach to serve as a reminder to follow the laws and regulations of your area to be protected from reputational damage, financial loss, and legal issues. Contact Sangfor today for information on enhancing cloud infrastructure and cybersecurity or visit www.sangfor.com to learn more.