Cybersecurity

Data of 900 Hongkongers exposed in hack attack of WhatsApp accounts

Almost 900 Hong Kong people were victims of data breaches over the last month after fraudsters hijacked the WhatsApp accounts of social services and schools, the city’s privacy commissioner revealed on Thursday.

The Office of the Privacy Commissioner for Personal Data said that fraudsters had hacked the WhatsApp accounts of five social welfare services and schools and impersonated the organisations in a bid to defraud people listed in their address books.

The news came as the Hong Kong Computer Emergency Response Team Coordination Centre warned of a rise in phishing traps designed to target instant messaging platforms such as WhatsApp.

The privacy commissioner said details, including names and mobile phone numbers, for service users, school staff, parents and pupils were believed to have been compromised in the latest attack.

The privacy commissioner’s office has warned of a breach of WhatsApp accounts run by schools and social services. Photo: Jelly Tse

Officials added that the organisations involved had notified the people affected by the fraudsters.

The privacy commissioner’s office explained WhatsApp hijacking happened when fraudsters impersonated friends and relatives, or used fake WhatsApp websites, to obtain telephone numbers and app registration codes.

Once the fraudsters gain access to an account, they try to swindle money or access personal information by messaging the victim’s contacts.

The computer emergency response team added hackers could also create counterfeit login web pages with QR codes that could be used to access victims’ accounts.

It added that the hackers used paid advertisements so that the fake pages would appear high up on search engine pages.

Hong Kong’s technology chief condemns hacking attack on Cyberport

If a user scanned the QR code, hackers could gain access to the victim’s account, photos, videos, documents, chat records and contact book details.

Hackers could also assume the identity of the victim, and use the account access to send messages to contacts, such as requesting fund transfers.

The cybersecurity experts appealed to the public to always verify the URLs of instant messaging platforms before they logged in and to avoid clicking on links from unknown sources such as search engine advertisements.

It added people should check for unknown devices being linked to their accounts and routinely check archive folders for malicious records.

If someone fears their personal details may have been leaked, they can file a complaint with the privacy commissioner’s office.

The Post has contacted Meta, WhatsApp’s parent company, for comment on the latest data breaches.

Head of Hong Kong consumer watchdog apologises over potential personal data leak

WhatsApp was last year involved in a data scandal, with online publication Cybernews reporting that the mobile phone numbers of nearly 500 million users, including as many as 3 million in Hong Kong, had been compromised and listed for sale on a prominent online hacking forum.

But Meta denied the allegations and insisted the report was “speculative” and “unsubstantiated”.

The company added it had found no evidence of a data leak on WhatsApp systems.

The city had the highest rate of suspected digital fraud attempts among markets studied in a report released on Wednesday by TransUnion, a consumer credit reporting agency based in the United States. It found that while the average global suspected digital fraud rate was 5.3 per cent in the first half of 2023, it stood at 18.3 per cent for Hong Kong.

Scams related to travel and leisure dominated fraud attempts in Hong Kong, at 8.3 per cent, according to the TransUnion report.

The agency previously found that 38 per cent of consumers in the city had reported being the targets of fraud.

In September, the city’s showcase IT park Cyberport apologised after a data theft led to sensitive staff information being offered for sale on the dark web and pledged to invest resources as needed to strengthen network security, while also admitting the extent of the leak was still being investigated.