Personal data of 25,000 Hongkongers at risk after cyberattack against watchdog

Hong Kong’s Consumer Council has revealed that the personal data of more than 25,000 people may have been leaked in a cyberattack against the watchdog, up from an earlier estimate of 8,000.

Gilly Wong Fung-han, chief executive of the council, on Monday also said computer systems operating its external services, such as those handling inquiries and a price checking tool, had been restored, but there could be delays in addressing complaints.

“We will spare no effort in handling this matter,” she said. “Even if we don’t know who exactly has been affected by the data leak, out of an abundance of caution, we will notify different people so they can be extra careful,” she told a radio programme.

Council chief executive Gilly Wong (left) and chairman Clement Chan meet the press. Photo: Edmond So

Wong said the council had notified individuals deemed as high risk in the potential data leak, which included staff, former employees, 25,000 subscribers of its Choice magazine over the past two years and 1,600 voters who took part in previous events.

Last week, the council said the cyberattack, which crippled most of its systems, could have affected 8,000 magazine subscribers.

It revealed that data potentially stolen included: credit card credentials of about 8,000 monthly subscribers of Choice magazine; identification documents, addresses and birth dates of both former and current staff, as well as such details of their family members; resumes of people who had applied for jobs in the past two years; and contact information of business partners.

Head of Hong Kong consumer watchdog apologises over potential personal data leak

Wong conceded that the watchdog had yet to determine how many people had been affected as it was waiting for a report by a forensic expert on what files had been stolen.

The watchdog received 106 inquires between September 22 and September 24, mostly from subscribers of the magazine asking about their credit card information to help with cancellations.

The council last Friday said at a press conference that it had fallen victim to a cyberattack and anonymous hackers had threatened to leak personal data by Saturday night if a ransom of US$500,000 was not paid.

The hacking follows a separate incident involving Cyberport, which apologised for a data leak following a cyberattack against the tech hub in August. The breach led to sensitive staff information being put up for sale on the dark web, a hidden collective of websites only accessible by a specialised web browser.

Hong Kong Consumer Council falls victim to hackers 1 month after tech hub attacked

Anthony Lai Cheuk-tung, a malware analyst and security incident responder at Hong Kong-based cybersecurity firm VX Research, said his team had not found any data linked to the council on the dark web so far.

He said the watchdog had responded more swiftly to the cyberattack compared with Cyberport.

“I think the council did a good enough job. It has done well,” he said on the same radio show.

Lai urged the government to provide more funding and support to government departments and public institutions to ensure they had robust cybersecurity measures, as they often held a lot personal information and usually lacked the resources to protect it.