Hong Kong’s consumer watchdog has fallen victim to hackers and has warned the public of a suspected data breach, just two weeks after it emerged that Cyberport tech hub suffered a data leak.
The Consumer Council said on Friday that a cyberattack against its computer system had been identified on Wednesday, causing damage to about 80 per cent of their systems and disruption to their hotline services and price comparison tools. Whether a personal data breach was involved, and the scope of the data leak, remains to be confirmed.
Sensitive data including the HKID numbers of current and former staff, and their family members, and credit card information for around 8,000 subscribers of the council’s monthly CHOICE magazine, are potentially at risk, the council said at a Friday press briefing. Job applicants may also be victims, they added.
The case has been referred to the police and reported to the Privacy Commissioner’s Office, a statutory body that ensures the protection of personal data. The Office said on Thursday that it was looking into the incident, as it appealed to possibly affected individuals to remain vigilant against the theft of their data.
Suspected data breach
The cyberattack likely occurred on Tuesday night and lasted some seven hours, during which “a data transfer volume of 65GB higher than usual was observed,” chairperson Clement Chan told reporters in English at the Friday press event.
The council was not able to determine the scope of the data leak. It urged possibly affected individuals to be extra cautious about potential scams and take precautionary measures to ensure cybersecurity.
A ransomware note claimed to have obtained employee and client data during the attack, Chan said. It had demanded US$500,000 (HK$3.9 million) be paid by Saturday night, and up to US$700,000 (HK$5.5 million) if the deadline was not met.
“The council strongly condemns the unlawful cyber activity of hackers, and will not succumb to ransomware extortion,” Chan said, adding that the watchdog will support police investigations and expresses apologies to the public.
Police were not able to immediately respond to HKFP about the scope of the incident.
String of cyberattack
The leak came just two weeks after Cyberport revealed news of a data breach in August that led to sensitive personal information of staff being uploaded to the “dark web.”
The hack was disclosed to the public on September 6, nearly three weeks after Cyberport notified Hong Kong’s privacy watchdog, AFP reported.
In response, Hong Kong’s technology minister Sun Dong ordered all of its departments to step up digital security and urged public organisations to review their existing cybersecurity measures, RTHK reported.
When asked by reporters on Friday morning, Gilly Wong, chief executive of the Consumer Council, said in Cantonese they had recently reviewed their cybersecurity measures in light of the Cyberport leak, and had constantly conducted “security risk and audits” to protect computer systems.
“But it is quite hard to have a 100 per cent bulletproof system that is safe from any attack,” Wong said in Cantonese, calling the incident “hard to guard against.”
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.