Consumer Council system breached by hackers for approximately 7 hours, ransom demand of US$500,000, suspected data leak including employee information


22nd September 2023 – (Hong Kong) The Consumer Council announced today that its computer system had fallen victim to a malicious hacker attack. The Council revealed that approximately 8,000 subscribers of the “CHOICE” monthly magazine, as well as employee and family member data, may have been compromised and could be at risk of unauthorized exposure. The hackers behind the attack have demanded a ransom of US$500,000 to US$700,000. However, the Consumer Council has firmly stated that it will not entertain the ransom demand and is committed to not paying any amount to the perpetrators. The Council acknowledges that the exact nature and extent of the data leak remain unknown at this time. It emphasised that the true extent of the breach will only be determined once a thorough investigation is conducted.

The attack inflicted substantial damage, affecting nearly 80% of the system and causing disruptions to the Council’s hotline services and price comparison tools. Responding swiftly, the Council has implemented immediate security measures to fortify its system against further attacks, while enlisting the expertise of forensic investigators to conduct a thorough investigation. Emergency repairs have allowed hotline services to resume, while the case was promptly reported to the Police yesterday morning. The Council has also proactively informed the Office of the Privacy Commissioner for Personal Data about the incident.

According to the ransomware note, the hacker claims to have obtained specific data from the Council’s computer system, including employee and client information, as well as internal records. Since the cyberattack, the Council has been working closely with forensic experts to conduct a comprehensive investigation. It has been ascertained that during the attack, there was a notable increase in data transfer volume, amounting to 65GB over a span of approximately 7 hours. However, it is yet to be confirmed whether any personal data breach occurred and the extent of the breach. The Council is committed to providing immediate updates through various channels, including its official website and social media pages. In the coming days, the Council will make every effort to reach out to potentially affected individuals, urging them to exercise caution, stay vigilant, and refrain from opening or clicking on suspicious links, emails, or messages to ensure cybersecurity.

Although the exact content of the potentially breached data is yet to be confirmed, a risk assessment suggests that it may involve four categories of individuals and their associated data:

  1. Current and former staff, their family members, and job applicants, including HKID numbers, addresses, dates of birth, and CVs.
  2. CHOICE subscribers, including approximately 8,000 subscribers who had provided their credit card information to the Council.
  3. Complainants, with the assurance that the complaint case management system operated independently and remained largely unaffected.
  4. Stored data of the Council’s work partners, including company addresses, contact numbers, emails, and potentially some mobile numbers.

The Council unequivocally condemns the illicit cyber activities of hackers and remains resolute in refusing to succumb to ransomware extortion. It pledges full support to the investigative efforts of the Hong Kong Police Force to bring the perpetrators to justice and reinforce cybersecurity measures to safeguard consumer interests. The Council extends its sincere apologies to the public for any inconvenience caused.

Potentially affected individuals are advised to remain vigilant and take steps to protect against identity theft or fraud. To safeguard personal data privacy, the following measures are recommended:

  1. Reset online account passwords regularly and enable multi-factor authentication if available.
  2. If credit card information was provided, notify the credit card issuer about the potential compromise and request a replacement card.
  3. Regularly review bank account statements and messages for any unauthorized or suspicious activities.
  4. Monitor personal email or account login records for any unusual access or message exchanges.
  5. Exercise caution when receiving calls, SMS, or emails from unknown or suspicious sources. Refrain from opening attachments or disclosing personal information casually.
  6. Verify the source of calls, SMS, or emails claiming to be from the Council. When in doubt, contact the Council via its official hotline (29292222). Note that the Council will never solicit users’ account numbers, passwords, login details, or request transactional information through these communication channels.
  7. Exercise heightened vigilance against phishing attempts and other fraudulent behaviour.