Hong Kong’s consumer watchdog has fallen victim to hackers and has warned the public of a suspected data breach, just two weeks after it emerged that Cyberport tech hub suffered a data leak.

The Consumer Council said on Friday that a cyberattack against its computer system had been identified on Wednesday, causing damage to about 80 per cent of their systems and disruption to their hotline services and price comparison tools. Whether a personal data breach was involved, and the scope of the data leak, remains to be confirmed.

Consumer Council
Consumer Council. Photo: Consumer Council.

Sensitive data including the HKID numbers of current and former staff, and their family members, and credit card information for around 8,000 subscribers of the council’s monthly CHOICE magazine, are potentially at risk, the council said at a Friday press briefing. Job applicants may also be victims, they added.

The case has been referred to the police and reported to the Privacy Commissioner’s Office, a statutory body that ensures the protection of personal data. The Office said on Thursday that it was looking into the incident, as it appealed to possibly affected individuals to remain vigilant against the theft of their data.

Suspected data breach

The cyberattack likely occurred on Tuesday night and lasted some seven hours, during which “a data transfer volume of 65GB higher than usual was observed,” chairperson Clement Chan told reporters in English at the Friday press event.

consumer council hack
The consumer council’s website displys a warning message about a “system disruption” on Wednesday, September 20, 2023. Photo: Screenshot.

The council was not able to determine the scope of the data leak. It urged possibly affected individuals to be extra cautious about potential scams and take precautionary measures to ensure cybersecurity.

A ransomware note claimed to have obtained employee and client data during the attack, Chan said. It had demanded US$500,000 (HK$3.9 million) be paid by Saturday night, and up to US$700,000 (HK$5.5 million) if the deadline was not met.

“The council strongly condemns the unlawful cyber activity of hackers, and will not succumb to ransomware extortion,” Chan said, adding that the watchdog will support police investigations and expresses apologies to the public.

Police were not able to immediately respond to HKFP about the scope of the incident.

String of cyberattack

The leak came just two weeks after Cyberport revealed news of a data breach in August that led to sensitive personal information of staff being uploaded to the “dark web.”

Cyberport. File photo: GovHK.

The hack was disclosed to the public on September 6, nearly three weeks after Cyberport notified Hong Kong’s privacy watchdog, AFP reported.

In response, Hong Kong’s technology minister Sun Dong ordered all of its departments to step up digital security and urged public organisations to review their existing cybersecurity measures, RTHK reported.

When asked by reporters on Friday morning, Gilly Wong, chief executive of the Consumer Council, said in Cantonese they had recently reviewed their cybersecurity measures in light of the Cyberport leak, and had constantly conducted “security risk and audits” to protect computer systems.

“But it is quite hard to have a 100 per cent bulletproof system that is safe from any attack,” Wong said in Cantonese, calling the incident “hard to guard against.”

Support HKFP  |  Policies & Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report | Apps


Help safeguard press freedom & keep HKFP free for all readers by supporting our team

contribute to hkfp methods
tote bag support
YouTube video

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.

Hans Tse is a reporter at Hong Kong Free Press with an interest in local politics, academia, and media transformation. He was previously a social science researcher, with writing published in the Social Movement Studies and Social Transformation of Chinese Societies journals. He holds an M.Phil in communication from the Chinese University of Hong Kong.

Before joining HKFP, He also worked as a freelance reporter for Initium between 2019 and 2021, where he covered the height - and aftermath - of the 2019 protests, as well as the sweeping national security law imposed by Beijing in 2020.