The Office of the Privacy Commissioner for Personal Data said that fraudsters had hacked the WhatsApp accounts of five social welfare services and schools and impersonated the organisations in a bid to defraud people listed in their address books.
The news came as the Hong Kong Computer Emergency Response Team Coordination Centre warned of a rise in phishing traps designed to target instant messaging platforms such as WhatsApp.
The privacy commissioner said details, including names and mobile phone numbers, for service users, school staff, parents and pupils were believed to have been compromised in the latest attack.
Officials added that the organisations involved had notified the people affected by the fraudsters.
The privacy commissioner’s office explained WhatsApp hijacking happened when fraudsters impersonated friends and relatives, or used fake WhatsApp websites, to obtain telephone numbers and app registration codes.
Once the fraudsters gain access to an account, they try to swindle money or access personal information by messaging the victim’s contacts.
The computer emergency response team added hackers could also create counterfeit login web pages with QR codes that could be used to access victims’ accounts.
It added that the hackers used paid advertisements so that the fake pages would appear high up on search engine pages.
If a user scanned the QR code, hackers could gain access to the victim’s account, photos, videos, documents, chat records and contact book details.
Hackers could also assume the identity of the victim, and use the account access to send messages to contacts, such as requesting fund transfers.
It added people should check for unknown devices being linked to their accounts and routinely check archive folders for malicious records.
If someone fears their personal details may have been leaked, they can file a complaint with the privacy commissioner’s office.
The Post has contacted Meta, WhatsApp’s parent company, for comment on the latest data breaches.
WhatsApp was last year involved in a data scandal, with online publication Cybernews reporting that the mobile phone numbers of nearly 500 million users, including as many as 3 million in Hong Kong, had been compromised and listed for sale on a prominent online hacking forum.
But Meta denied the allegations and insisted the report was “speculative” and “unsubstantiated”.
The company added it had found no evidence of a data leak on WhatsApp systems.
The city had the highest rate of suspected digital fraud attempts among markets studied in a report released on Wednesday by TransUnion, a consumer credit reporting agency based in the United States. It found that while the average global suspected digital fraud rate was 5.3 per cent in the first half of 2023, it stood at 18.3 per cent for Hong Kong.
Scams related to travel and leisure dominated fraud attempts in Hong Kong, at 8.3 per cent, according to the TransUnion report.
The agency previously found that 38 per cent of consumers in the city had reported being the targets of fraud.