Outcomes - Selected Case Summaries
Categories
Investor personal data leaked on the dark web
Decisions | 25 September 2023
A security incident at a Cayman Islands fund resulted in the exfiltration of personal data of several directors across numerous jurisdictions, and its publication on the dark web. The unauthorized access took place through a firewall device and resulted in an attempted ransomware attack. The fund notified the affected directors, providing information on the breach and communicating the steps taken to contain the impact. An investigation was launched with a leading cyber forensic expert who outlined the response.
We noted that the Ombudsman had been notified outside the statutory notification period. The fund explained that given the high volume of data and number of affected directors, and the location of the incident (In Hong Kong), it had not been immediately apparent that the entities and directors in Cayman had been affected. We assessed the response and found that appropriate measures were taken, and the case was closed.