Out-Law News 3 min. read

Pacnet security breach could spur interest from a number of Asian privacy watchdogs, says expert

Data protection authorities from across Asia could show interest in a data breach experienced by the Hong Kong and Singapore-based telecoms and data centre operator Pacnet, an expert has said.

Telstra, the Australia-based telecoms giant and owner of Pacnet, has reported that a hacker gained unauthorised access to Pacnet's "corporate IT network" after using malicious software to exploit a weakness in the company's IT security. The breach "ultimately led to the theft of admin and user credentials", Telstra's chief information security officer Mike Burgess said in a statement.

Hong Kong-based technology law expert Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com, said there had been a "significant delay" in the publicising of the breach.

Telstra said it only became aware of the breach "shortly after" completing its takeover of Pacnet in mid-April. It said it took "immediate action to investigate and respond to the breach". However, despite conducting a "detailed assessment of Pacnet’s network security and engaging an expert external incident response team to assist with our monitoring and protective measures", Telstra said it is unsure about who carried out the attack. It said, though, that the company has "removed all known malicious software and put in place additional monitoring and incident response capabilities" following the breach.

"There clearly has been a significant delay in Pacnet and Telstra publicising the breach in this instance," Bullock said. "Ideally, some form of statement should be issued within 48 to 96 hours of a data breach, although this will depend on the complexity of the incident companies falling victim to data breaches have to deal with. The fact that Pacnet and Telstra were finalising a corporate transaction between themselves in part explains, but does not excuse, the apparent delay in this case."

Bullock said that the office of Hong Kong's privacy commissioner (PCO) has established a code of practice which "encourages data users and controllers to report data breaches to both the PCO and the affected data subjects timeously". However, data breach notification in Hong Kong is not a legal requirement and there is "currently no legal sanction specifically for failing to notify a data breach", he said.

Bullock said, though, that the PCO has some enforcement powers available to it when data breach incidents affecting Hong Kong citizens come into the public domain.

"Once publicised, if a breach has resulted from an earlier lapse in compliance with a data privacy principle – and one such principle is that personal data is kept secure – then enforcement notices will swiftly follow," Bullock said. "If data exposed in a breach is not personal data then this takes it out of the jurisdiction of the privacy commissioner, and private law remedies only would be brought into play."

Bullock said that other data protection authorities elsewhere in the Asia Pacific region could show interest in the Pacnet data breach if the hacker gained access to personal data in the attack.

"An area of great interest, and complexity, is which national laws are brought into play following a data breach," Bullock said. "A jurisdiction is legally relevant if the data was collected in that jurisdiction; a data subject suffered loss in that jurisdiction; or conceivably if the data was wrongfully processed in that jurisdiction. Given the nature of Pacnet’s business is, in part, providing cloud computing services, the prospect of very widely distributed loss of data would appear to be a possibility in this case."

Bryan Tan, expert in data protection law at Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, said that Singapore's Personal Data Protection Commission (PDPC) indicated in recent guidelines that companies that fail to inform it that they have experienced a data breach are more likely to be considered to have failed to adequately protect the security of that data under Singapore's data protection regime.

The PDPC's guidelines said: "Notifications made by organisations or the lack of notification, as well as whether organisations have adequate recovery procedures in place, will affect PDPC’s decision on whether an organisation has reasonably protected the personal data under its control or possession."

Tan said there is a question over whether the PDPC would apply those to data breach incidents that occurred prior to the guidelines being issued. He said it is also unclear "how they apply to organisations which are also regulated by an industry regulator".

Mike Burgess of Telstra said that Pacnet's systems are kept separate from Telstra's and that there had been "no evidence" of a hacker gaining unauthorised access to Telstra’s networks.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.