Hong Kong’s Cyberport is under fire as security concerns mount following an attack by hackers that exposed personal data of staff, former workers and job applicants, with the tech hub facing call to compensate affected parties.

Anthony Lai Cheuk-tung, a malware analyst and security incident responder at Hong Kong-based cybersecurity firm VX Research, on Wednesday said updated security measures could have prevented the theft.

The data breach reportedly means 400GB of personal and banking details of Cyberport employees and others are available on the dark web, a secretive side of the internet frequented by online criminals.

Data stolen from Hong Kong Cyberport includes staff details, credit card records

“I’d like to ask if Cyberport performed regular penetration tests and repaired relevant security measures accordingly,” Lai told a radio show on Wednesday. “This attack could have been avoided because the loopholes and incorrect settings that enabled the attack are from two to three years ago, if not earlier. This should not have happened.”

A ransomware group has reportedly blackmailed Cyberport earlier after hacking its computer systems and stealing and encrypting the data. It demanded that US$300,000 (HK$2.3 million) be paid by Tuesday, with the tech hub confirming on the same day that the stolen information had resurfaced online.

Cyberport did not say if it paid the ransom.

Advertisement

Lai said the incident “raises eyebrows” given the scale and status of Cyberport as the city’s leading tech hub, questioning if there was any negligence on its part given it should have plugged known loopholes.

He added the government and banks conducted a penetration test annually to identify security loopholes and minimise cybersecurity risks.

Hong Kong tech hub Cyberport alerts police following cybersecurity breach

Cyberport should also compensate affected parties, including staff, ex-employees and job applicants, with the amount for each affected individual between US$1,000 to US$4,000, Lai said, citing relevant regulations in Singapore and mainland China.

Lawmaker Johnny Ng Kit-chong on the same programme said there was no precedent of such compensations in Hong Kong, but agreed a review of the legislation should be conducted if there was public consensus.

He said Cyberport should look into whether its security systems had been regularly updated and review internal operations guidelines to ascertain if a system or human error allowed the attack.

Advertisement

Ng added the stolen data was of “considerable” size, voicing concern over whether similar attacks could befall government departments.

Hong Kong watchdog finds electoral office breached privacy rules over 2 data leaks

According to Cyberport, the leaked data included names and contact details of individuals, human resources data, as well as a small number of credit card records.

Advertisement

The tech hub on Tuesday condemned the attack and revealed it did not disclose it had been hacked on August 18 until last week, after the data theft came to light on social media.

The breach was first disclosed earlier this month by cybersecurity information platform FalconFeedsio, which said on social media that ransomware group Trigona had added Cyberport to its vic

Ransomware Trigona group has added Cyberport to its victim list.

According to Palo Alto-based cyber-risk consultancy Unit 42, Trigona ransomware is relatively new and was first discovered by security researchers in late October 2022, with organisations involved in manufacturing, finance, construction, agriculture, marketing and hi-tech industries targeted.

Advertisement

The ransomware group said it had gained access to more than 400GB of Cyberport data and offered to sell the information for US$300,000, according to the social media post.

Experts estimated earlier that sensitive information on at least 400 people was involved, assuming one person’s personal data took up 1GB.

Advertisement