Hong Kong’s technology chief condemns hacking attack on Cyberport, urges tech hub and government departments to upgrade security
Hong Kong’s technology chief has condemned a hacking attack on Cyberport that siphoned off a large amount of staff data, while urging the tech hub and government departments to tighten security measures to prevent a repeat of the crime.
Secretary for Innovation, Technology and Industry Sun Dong on Wednesday said the government was deeply concerned about the cyberattack, which saw 400GB of personal data belonging to staff, former workers and job applicants stolen in August. Some of the information was leaked to the dark web, a secretive side of the internet frequented by criminals.
“The government strongly condemns the cybercrime in question,” Sun said, revealing the tech hub was also the subject of multiple failed attacks carried out by the same hackers in the weeks after the first one on August 18.
Hackers succeeded in stealing the data on their first attempt by gaining unauthorised access to Cyberport’s system, Sun said, but the incident was not revealed to the public until last week.
After meeting the tech hub’s top management on Tuesday, Sun said he asked them to strengthen protection of sensitive data stored on network systems and plug all loopholes.
“I also instructed Cyberport to fully cooperate with police and independent cybersecurity experts in their detailed investigation of the whole incident,” he said. “Cyberport should disclose more information to the public if and when conditions allow it.”
The technology chief instructed all government departments and public organisations through the Office of the Government Chief Information Officer to “learn a lesson from the Cyberport incident” and immediately review existing security measures.
Security concerns over the cyberattack have grown, with the tech hub facing calls to compensate affected parties.
Anthony Lai Cheuk-tung, a malware analyst and security incident responder at Hong Kong-based cybersecurity firm VX Research, on Wednesday said updated security measures could have prevented the theft.
Data stolen from Hong Kong Cyberport includes staff details, credit card records
Data stolen from Hong Kong Cyberport includes staff details, credit card records
“I’d like to ask if Cyberport performed regular penetration tests and repaired relevant security measures accordingly,” Lai told a radio show. “This attack could have been avoided because the loopholes and incorrect settings that enabled the attack are from two to three years ago, if not earlier. This should not have happened.”
A ransomware group reportedly demanded that Cyberport pay US$300,000 for the return of the data by Tuesday, with the tech hub confirming on the same day that the stolen information had resurfaced online. Cyberport did not say whether it paid the ransom.
Lai said the incident “raised eyebrows” given the scale and status of Cyberport as the city’s leading tech hub, questioning if there was any negligence on its part given it should have plugged known loopholes.
He added the government and banks conducted a penetration test annually to identify security loopholes and minimise cybersecurity risks.
Hong Kong tech hub Cyberport alerts police following cybersecurity breach
Hong Kong tech hub Cyberport alerts police following cybersecurity breach
Cyberport should also compensate affected parties, including staff, ex-employees and job applicants, with the amount for each affected individual between US$1,000 to US$4,000, Lai said, citing relevant regulations in Singapore and mainland China.
Lawmaker Johnny Ng Kit-chong told the same programme no precedent existed in Hong Kong for such compensation, but agreed a review of the legislation should be conducted if there was public consensus.
He said Cyberport should look into whether its security systems had been regularly updated and review internal operations guidelines to ascertain if a system or human error allowed the attack.
Ng added the stolen data was of “considerable” size, voicing concern over whether similar attacks could befall government departments.
Hong Kong watchdog finds electoral office breached privacy rules over 2 data leaks
Hong Kong watchdog finds electoral office breached privacy rules over 2 data leaks
According to Cyberport, the stolen data included names and contact details of individuals, human resources data, as well as a small number of credit card records.
One former staff member of Cyberport, whose salary and bonus history was leaked by the hackers, called the incident “outrageous”.
“I am enraged,” she said. “There has been no apology from the management, no one has had to step down. They are only issuing statements and holing up.”
The woman, who worked at Cyberport for several years and left only recently, said she remained in touch with former colleagues via a WhatsApp chat group. She said all of them were deeply worried about whether their personal information would be used in crimes, such as fake marriages or fraudulent loans.
None of the former colleagues in her circle had been contacted by management for what was being billed as “complimentary identity monitoring services”, she said.
“The Innovation, Technology and Industry Bureau is responsible for monitoring the operations of Cyberport. Should they be doing something? This is not something that can be brushed off with a statement,” she said, adding senior ministers, such as the permanent secretary for the bureau, sat on the tech hub’s board of directors.
Cyberport on Tuesday condemned the attack and revealed it did not disclose it had been hacked on August 18 until last week, after the data theft came to light on social media.
The breach was first disclosed earlier this month by cybersecurity information platform FalconFeedsio, which said on social media that ransomware group Trigona had added Cyberport to its victim list.
According to Palo Alto-based cyber-risk consultancy Unit 42, Trigona ransomware is relatively new and was first discovered by security researchers in late October 2022, with organisations involved in manufacturing, finance, construction, agriculture, marketing and hi-tech industries targeted.
The ransomware group said it had gained access to more than 400GB of Cyberport data and offered to sell the information for US$300,000, according to the social media post.
Experts estimated earlier that sensitive information on at least 400 people was involved, assuming one person’s personal data took up 1GB.
