The head of Hong Kong’s consumer watchdog apologised on Friday over a potential leak of personal data involving more than 8,000 people following a cybersecurity attack.
An unknown ransomware group had threatened to leak the data by Saturday night if a US$500,000 demand was not met, said Consumer Council chairman Clement Chan Kam-wing, who addressed the public over the incident that had shut down 80 per cent of the institution’s internal computer systems.
“The council expresses its sincere apologies for the inconvenience caused to the public … It remains to be confirmed whether a personal data breach was involved and the scope of the coverage,” Chan said, adding the council had refused to pay the ransom.
He called on individuals possibly affected to stay vigilant in the next few days and not to click on any suspicious links.
He said the breach was only detected on Wednesday morning, about seven hours after most of its systems had been crippled, and it was not caused by human error or mistakes made by council employees.
According to the consumer watchdog, data potentially stolen included: credit card credentials of about 8,000 monthly subscribers of Choice, a consumer-related magazine; identification documents, addresses and birth dates of both former and current council staff, as well as such details for their family members; resumes of job applicants who had applied for positions in the past two years; and the contact information of business partners.
Individuals who had made complaints via the council were less likely to be affected, the body said, as a separate system managed such cases and only stored their phone numbers and email addresses.
Chan said the hackers demanded payment of a US$500,000 ransom before 11.20pm on Saturday, which the council had rejected.
He strongly condemned the unlawful act, saying the watchdog would not be extorted.
The council has become the latest local institution to fall victim to hackers. Last week, the Cyberport tech hub apologised for a data theft in August that led to sensitive staff information being put up for sale on the dark web, a hidden collective of websites only accessible by a specialised web browser.
But the council’s chief executive Gilly Wong Fung-han said there was “no way to prevent” the unexpected attack, despite regular check-ups and tests on its cybersecurity system, noting it was impossible to be “bulletproof”.
Wong said the extent of the hack was still uncertain and the organisation was working on notifying the potentially affected individuals.
Chairman Chan said he was unsure whether ransomware had become a trend targeting authorities.
“We will not lower our guard as we are attempting to repair our system with a close inspection and risk assessment of future digital security,” he said.
He described the data theft as “unfortunate” but stopped short of saying whether the government had alerted them to strengthen the security of its systems after the Cyberport hack.
“It is a lesson to learn,” he said.
The council would gradually bring services back online once experts finished evaluating other potential risks, Wong said, explaining staff were now able to log in to their system.
The council on Thursday said on its website it had experienced a “system disruption” on Wednesday morning. Technicians had discovered a data transfer of 65GB more than usual on Wednesday morning when staff clocked in.
It subsequently filed a report to police and the Privacy Commissioner’s Office on Thursday morning, and appointed an internal forensic expert to conduct an investigation.