FactWire apologises for data leak as newsletter subscriber info exposed

Hong Kong news agency FactWire 's newsletter system has been hacked last month, leading to the registration records of its newsletter subscribers being accessed by hackers.

In a statement on its website, the agency said it learned on 3 May that its newsletter delivery system was hacked on 14 April. "The IP address shows that the hacking was done from Hong Kong and that it had obtained access to the registration records of our newsletter subscribers. The information accessed includes the email addresses of more than 3,700 subscribers registered from July 2017 to January 2021, and the registered names of around 1,000 subscribers registered from November 2018 to October 2019," the agency said.

FactWire added that the donor list was not accessed by hackers. Although it did not see any record of the information being exported, the hacker might have accessed information through other methods.

Currently, the delivery of newsletters is suspended as the agency needs some time to rebuild the new system. "We are deeply sorry for not being able to properly protect the information of our subscribers. We immediately stopped using the system once we were informed of the incident. We have also immediately evaluated the security measures taken upon all our systems to ensure that all the personal information that we collect, including those of our donors and whistleblowers, are stored securely," the agency said.

Before the hacking, FactWire released two stories about the chief executive candidate John Lee, including a piece about his sons' business connection and another related to Lee's investment in properties in the 1990s.

In late March, FactWire published a report about one of Hong Kong's container hospitals in Lok Ma Chau. In the report, FactWire discovered that the layouts of it and quarantine facilities did not allow direct exits from rooms to the outdoors.

More recently, FactWire reported on 3 May that Hong Kong's contact tracing mobile app LeaveHomeSafe contains a facial detection feature in its source code but the government reiterated that the app has never used nor required any facial recognition function since its launch.

After converting the source codes into readable java source files, FactWire discovered that LeaveHomeSafe's source code file comprised about 20 folders, containing a subfolder named “reactnative” which further comprised three folders titled “facedetector”, “camera”, and “maskedview” respectively. FactWire added that one of the java files may be used to detect the positions of a person’s mouth, nose tip, left and right cheeks, eyes and ears. It can also detect the person's head tilt in degrees and calculate the probability that they are smiling or have each eye open.

However, after testing the app by entering debug mode, FactWire learned that the app only uses the rear camera of the device. It said the probability of the user’s face being detected is very low.

In response to the report, a spokesman for the Office of the Government Chief Information Officer (OGCIO) said the operation of the LeaveHomeSafe mobile app has never used nor required any facial recognition function since its launch.

(Photo courtesy:123rf)

Related articles
FactWire to launch after raising HK$3 million
HK government confirms LeaveHomeSafe app has facial detection module, requires developer to remove