Unauthorised access exposes personal data of 6,800 CSD workers

Personal data relating to serving and former staff was subject to unauthorised access.

About 6,800 serving and former staff of the Correctional Services Department (CSD) had their personal data subject to unauthorised access, following an IT security incident involving internal systems on 24 March.

The department said there is no evidence that the data has been leaked or disclosed, and has begun notifying potentially affected individuals whilst advising them to report any suspicious circumstances to the Police.

CSD added that illegal access was detected in its internal Knowledge Management System, which was then used to reach another system containing staff personal data.

The compromised information includes names, genders, dates of birth, academic qualifications, employment history within the department, and email addresses.

The department reported the incident to the Police, the Security Bureau, the Office of the Privacy Commissioner for Personal Data (PCPD), and the Digital Policy Office (DPO).

It has since isolated the Knowledge Management System, required password changes, reviewed all systems under its purview, activated backup procedures, and instructed an outsourced service provider to investigate.

CSD is also working with the PCPD and DPO to review the incident and strengthen data protection measures.