Skip to main content

FAQ

Regarding the cyberattack on the Consumer Council’s computer system while the information and scope involved are still under investigation, parties who may be affected must stay vigilant and refer to below for the related questions.  The Council sincerely apologise for any inconvenience caused.

  1. What happened?

On 20 September 2023, the Council identified a malicious ransomware attack against its computer system.  The attack has resulted in almost 80% damage of the computer system, causing temporary suspension to its complaint and CHOICE subscription hotline services and update of price comparison tools.  The hotline services have resumed to normal operation after emergency repairs.

 

The ransomware note claims to have obtained certain data from the Council’s computer system, including employees and clients’ data, and other internal record documents.  The Council has taken immediate action to strengthen the security measures of the system to prevent further attack by the hacker, whilst appointing a forensic expert immediately to conduct investigations.  Upon obtaining further information, the case was reported to the Police in the morning of 21 September 2023, and the Council has also proactively notified the Office of the Privacy Commissioner for Personal Data of the incident.  The Council is fully supporting the investigative efforts of the Hong Kong Police Force and undertaking repair and resumption of its system.

  1. Are Council’s services affected?

Temporary suspension was caused to the Council’s complaint and CHOICE subscription hotline services in the morning of 20 September 2023.  Information updates of its online price comparison tools were also affected.  The disruption has been resolved after emergency repairs.  The Council’s hotline services have now resumed to normal, save for its email system which is still under repair.

  1. What information was affected?

Whilst investigation into whether and the extent of personal information leakage is ongoing, based on investigation to date and risk assessment, the following categories of personal information of the following classes of potentially affected individuals might be affected:

 

  • The Council’s employees, ex-employees and their family members: such as HKID card information, residential address, date of birth and CV.
  • Job applicants: such as HKID card information, residential address, date of birth and CV.
  • CHOICE subscribers: basic personal information and (for subscribers who have paid by credit card) credit card number and expiry date (but not the cvv number).
  • Complainants: mainly personal information of individuals who submitted complaint information via email, such as name, contact information and case information (including, where relevant, bank account and personal information contained in invoices, receipts, contractual documents and correspondence with the Council and the trader).  
  • The Council’s work partners: names, business contact information and (where provided to the Council) mobile phone numbers.

  1. Am I affected?

At this stage, there is no evidence that any personal data was misused.  However, for prudence sake, any individual falling in one of the above categories of potentially affected individuals and had provided personal information to the Council should assume that they might potentially be affected and take precautionary measures.

 

We will contact you as soon as practicable if you are a potentially affected individual.  You may also register your enquiry with our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers) if you consider that you might be affected or have any inquiry regarding the matter. 

  1. What should I do?

We have assessed identity theft and fraud as the major risks presented to potentially affected individuals.

 

You should consider taking the following precautionary measures:

 

  • Reset and regularly change online account passwords and enable multi-factor authentication (if available);
  • (If credit card information was provided) notify the credit card issuer that the card might have been compromised and/or request a replacement card;
  • Check for any suspicious activity, observe any unusual bank account login or messages in email, SMS and accounts;
  • Regularly review bank account statements and messages for any unauthorized or suspicious activities;
  • Exercise extra precaution when receiving unknown or suspicious calls, SMS or emails;
  • Not casually open attachments or disclose personal information in response to such calls, SMS and emails;
  • Be vigilant against phishing or other attempted scams;
  • Verify source of calls, SMS or emails purporting to be from the Council.  If in doubt, contact our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers).  Please also note that Council will not solicit or request verification of personal data, account numbers, passwords and login details, or request anyone to make payment or enter into any transaction, via these communication channels or links contained therein.

  1. What should I do if I suspect or believe that my credit card data was misused or I was subject of fraud?

You should:

  • immediately report the incident to the credit card issuer  and request cancellation or replacement of the card, as well as cancellation of the transaction and/or refund via chargeback mechanism;
  • report the matter to the Police; and
  • contact the Council via our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers).

  1. What should I do if I suspect or believe that my personal data was misused?

You should:

  • immediately report the incident to the Privacy Commissioner;
  • if monetary loss was suffered, report the incident to the Police; and
  • contact the Council via our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers) .

  1. How are the Council helping potentially affected individuals?

We shall contact all individuals whom we consider might have been affected with advice on the precautionary measures set out under Q5 above.  Individuals may also register queries with our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers).

  1. Will it be safe for me to lodge complaints and provide information electronically?

Yes.  The Council’s complaint case management system operates independently of other systems of the Council.  The operation has been confirmed to be operating normally after inspection.

 

Since the incident, the Council has also been fully supporting and collaborating with the forensic expert and the Police to improve its security measures from different perspectives and strength its network security.

 

Date: 22 September 2023