HK consumer watchdog reveals suspected data leak following 7-hour ransomware attack

Hong Kong’s consumer watchdog has revealed certain data of its employees and clients, as well as 8,000 subscribers of CHOICE magazine, may have been compromised following a ramsomware attack.
 
Clement Chan, chairman of the Consumer Council said in a media briefing on Friday (22 September) that the seven-hour attack has resulted in almost 80% damage of its computer system, causing disruption to its hotline services and update of price comparison tools. A data transfer volume of 65GB higher than usual was observed, said Chan.

While it remains to be confirmed whether a personal data breach was involved and the scope of coverage, Chan said data of current and former employees, job applicants, clients, and other internal documents may be at risk of unauthorised exposure, including company address, contact number, HKID number, address, date of birth and resume.

Furthermore, the credit card information provided by 8,000 subscribers of its monthly magazine CHOICE may have been compromised. Chan said the council will not pay the ransom which values between US$500k and US$700k.

Within 48 hours after the accident, Chan said the council has appointed a forensic expert to conduct investigations and the case was reported to the police on Thursday. The council has also notified the Office of the Privacy Commissioner for Personal Data (PCPD) of the incident.

The council apologised for the inconvenience caused and will reach out to the possibly affected individuals and business partners in the next few days, urging them to stay vigilant, exercise increased caution and never open suspicious links, emails or messages.
 
On the other hand, the PCPD confirmed that it had received a data breach notification from the consumer watchdog on Thursday and has commenced a compliance check into the incident in accordance with established procedures. 
 
The PCPD recommended organisations which handle personal data to establish clear internal policy and procedures on data governance and data security, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure that sufficient training is provided for staff members.  
 
Commenting on the incident, Francis Fong Po Kiu, honorary president of the Hong Kong Information Technology Federation told MARKETING-INTERACTIVE that after hackers stole the data, they would blackmail it. “Public institutions usually do not pay the ransom, and the hackers are likely to ‘reveal’ the data and make it public.” 
 
He believed the council should find out what information has been leaked and who is involved and notify relevant people as soon as possible.

Meanwhile, Ho Wa Wong, conveyor of Open Data Working Group, Internet Society Hong Kong said the council needs to recruit professional cybersecurity experts to conduct inspection and submit reports on a regular basis. Employee training on cybersecurity is also necessary, he added.

Related articles:

HK consumer watchdog publicly slams 4 pharmacies over sales malpractice
HK consumer watchdog offers tips amid surge in online shopping scams
Consumer Council: Most of the surveyed online second-hand platforms take users' info for marketing purposes
Consumer Council: HKers' complaints about credit cards surge

We are bringing Digital Marketing Asia to Hong Kong from Southeast Asia! Hear all about the latest trends in the digital space with 200+ brilliant minds at Digital Marketing Asia - Hong Kong on 26 and 27 October at The Mira Hong Kong. Uncover thought-provoking and customised strategies that help brands connect with audiences effectively.