Data Breach Incident
The Club was notified by law enforcement officers (the “Law Enforcement Officers”) on March 28th, 2022 regarding data found on a “command and control” (C2) server located in Taiwan, which the Law Enforcement Officers believe belonged to unknown persons suspected of committing cybercrimes. They wanted to meet and discuss because some data discovered appeared to relate to US nationals and they further suspected this data had come from ACC.
The C2 server (which was the subject initially of another victim case investigation) has already been shut down by the relevant authorities.
A meeting was held on March 31st, which was the earliest the Law Enforcement Officers could meet where they shared some of the data they had discovered. Meeting was attended by Past and Present MIS Committee Chairs and Management and representatives from the Clubs Law Firm. The Board President was also fully appraised of the situation.
We were clearly advised that there is no investigation of ACC, just the need for ACC to cooperate in their investigation as the victim of this cybercrime incident. We confirmed that this data is indeed ACC Membership data, and includes Membership Number, Names, Email addresses, Mobile Phone Numbers and Date of Birth (collectively, the “Members’ Personal Data”). Please note that since the C2 server has already been shut down, the Members’ Personal Data on the C2 server would not be used by any person. However, the Law Enforcement Officers were uncertain if the Members’ Personal Data have been transferred to other databases or servers.
The Law Enforcement Officers wanted to carry out a two-week monitoring period and they expressed concerns about releasing information about this incident beyond a small group until they had done their monitoring and sufficient remediation work had been carried out, since there was a risk that the hackers may take further measures if they realized their activities had been discovered. Their advice was followed.
Case investigation is ongoing, but it appears the hackers first gained access to the ACC network in June 2021, and continued intermittent access until the server was shut down.
Law Enforcement Officers recommended ACC to engage a specialist contractor as soon as possible to first seal the vulnerability and then cleanse the entire network of any malware that exists within it this was immediate actioned.
The situation has been escalated to the Executive Committee and the Board have also been appraised of the situation. At all times the Club has followed the advice and recommendations of the Law Enforcement Officers.
The situation will cause various questions and please find below a short Q & A for you to review:
Q1. Has other personal data in addition to the Members’ Personal Data also been leaked?
- No evidence has been presented to ACC of this.
Q2. Has Members’ credit card information been leaked?
- No evidence has been presented to ACC of this.
Q3. Why did the Club wait until to inform all Members of this incident?
- This was on the advice of the Law Enforcement Officers and cyber security experts. If the perpetrators had become aware that their activities had been discovered prior to completion of the investigation team’s monitoring, and before adequate remedial measures had been carried out by the Club, there was a risk of intensified activities by the perpetrators.
Q4. What actions have ACC taken in response to this occurrence?
- The law enforcement team immediately set up monitoring of traffic to and from ACC, and this was run for a period of 2 weeks.
- In order to protect the Members’ personal data, expert professional assistance was immediately engaged from cyber security specialists. The companies engaged have extensive experience in these matters, and work extensively with government organizations, as well as financial institutions and a variety of business sectors.
- Under the guidance and advice of these experts, response activities were prioritized and executed.
- First response activities were completed to the satisfaction of the cyber security experts within 24 hours.
- Further remediation and precautionary activities are continuing in order to ensure all remaining threats have been identified and eliminated.
Q5. What action should I take in response to this event?
- Change accounts passwords where associated with your email address or mobile number.
- Change your ACC website password.
- As always: ACC reminds you that you will never be asked to make ATM or wire transfer payments to any bank account other than the one shown at the bottom of your monthly statement. If you are in any doubt about the authenticity of emails or phone calls received from the Club – regardless of who they appear to be from – then please call the ACC Front Desk team on 2885-8260 ext. 878 to check.
Q6. How likely will I receive fraudulent attempts?
- It is possible that hackers may contact you via email, text message or phone call in an attempt to defraud you.
- They may seem very credible since they know your details (name, age, dob, etc), please be extra careful and exercise the right judgement.
Q7. What actions are ACC taking to prevent reoccurrence?
- Initial focus was to ensure current security measures were strengthened, and that ACC’s systems were clear of any potential ongoing threats.
- Our next focus will be on getting specialist advice as to what further measures should be put in place to further strengthen protection. This will be a primary focus of the MIS Committee and Management in the immediate future.
It is most regretful that we were implicated in a difficult cybercrime situation, and we are sorry for the inconvenience caused. We will continue to work with the Law Enforcement Officers as well as upgrade the protection of ACC’s network and data base.