Cyberport reveals stolen data of staff and job applicants appear on dark web

Hong Kong tech hub Cyberport has revealed that some of the stolen personal data of its staff, former employees and job applicants have appeared on the dark web.

This comes as Cyberport discovered an intrusion into its systems in mid August and reported to the Hong Kong Police Force (HKPF) and the Office of the Privacy Commissioner for Personal Data (PCPD). On 6 September, Cyberport was aware that some information available on the dark web could potentially be related to the incident and it contacted persons who may have been affected.

A week later on 12 September, Cyberport released another statement confirming that the personal data of existing staff, ex-employees and job applicants from Cyberport, including their names, contact details, human-resources related data and a small number of credit card records, were released on the dark web. 

It also defended its decision not to disclose the incident until last week as there was no evidence of any misuse of personal data and it did not want to cause any “unnecessary concern”. 

Cyberport has over 1,900 members including over 800 onsite and close to 1,100 offsite start-ups and technology companies, a check by MARKETING-INTERACTIVE saw on its website. The tech hub said it has contacted potentially affected persons and will provide complimentary identity monitoring services. It has also set up a dedicated website to provide more information. 

Meanwhile, The Office of Privacy Commissioner for Personal Data (PCPD) said it had received one inquiry from a person affected by the data leak. The privacy watchdog said it had initiated a compliance investigation into the incident.

On the other hand, Sun Dong, secretary for innovation, technology and industry, urged Cyberport to comprehensively improve the protection of network systems and sensitive data files, plug the loopholes and avoid similar incidents from happening again. Sun added that Cyberport had been attacked multiple times in the past few weeks, but no more data leaks had occurred.

Don't miss: 'More regular security audits should be conducted,' say IT experts over myTV Super's data breach

Commenting on the incident, Ho Wa Wong, conveyor of Open Data Working Group, Internet Society Hong Kong, told MARKETING-INTERACTIVE that Cyberport’s reaction to the data breach was passive.

“While Cyberport defended its move not to disclose the incident earlier, it should notify all potential victims right after it discovered there was a cyber attack. It is unacceptable that Cyberport didn't know the scope of leakage and potential impacted area. It has the responsibility to notify the victims properly and conduct root cause analysis."

Wong added that Cyberport is seen as Hong Kong's flagship tech hub, this incident may affect the image of local innovation and technology (I&T) industry. 

Agreeing with his view was Francis Fong Po Kiu, honorary president of the Hong Kong Information Technology Federation, who said that apart from known victims of the incident, Cyberport also needs to inform units that they have cooperated with and let them conduct precautionary measures."

MARKETING-INTERACTIVE has reached out to Cyberport, PCPD and the police for a statement. 

Related articles:

HK privacy watchdog releases new guidelines on data breach handling
'More regular security audits should be conducted,' say IT experts over myTV Super's data breach
HK privacy watchdog to check credit reference agencies amid Softmedia's data breach crisis
OT&P Healthcare apologises over data breach, 100k patients reportedly impacted