Regarding the cyberattack on the Consumer Council’s computer system while the information and scope involved are still under investigation, parties who may be affected must stay vigilant and refer to below for the related questions. The Council sincerely apologise for any inconvenience caused.
On 20 September 2023, the Council identified a malicious ransomware attack against its computer system. The attack has resulted in almost 80% damage of the computer system, causing temporary suspension to its complaint and CHOICE subscription hotline services and update of price comparison tools. The hotline services have resumed to normal operation after emergency repairs.
The ransomware note claims to have obtained certain data from the Council’s computer system, including employees and clients’ data, and other internal record documents. The Council has taken immediate action to strengthen the security measures of the system to prevent further attack by the hacker, whilst appointing a forensic expert immediately to conduct investigations. Upon obtaining further information, the case was reported to the Police in the morning of 21 September 2023, and the Council has also proactively notified the Office of the Privacy Commissioner for Personal Data of the incident. The Council is fully supporting the investigative efforts of the Hong Kong Police Force and undertaking repair and resumption of its system.
Temporary suspension was caused to the Council’s complaint and CHOICE subscription hotline services in the morning of 20 September 2023. Information updates of its online price comparison tools were also affected. The disruption has been resolved after emergency repairs. The Council’s hotline services have now resumed to normal, save for its email system which is still under repair.
Whilst investigation into whether and the extent of personal information leakage is ongoing, based on investigation to date and risk assessment, the following categories of personal information of the following classes of potentially affected individuals might be affected:
At this stage, there is no evidence that any personal data was misused. However, for prudence sake, any individual falling in one of the above categories of potentially affected individuals and had provided personal information to the Council should assume that they might potentially be affected and take precautionary measures.
We will contact you as soon as practicable if you are a potentially affected individual. You may also register your enquiry with our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers) if you consider that you might be affected or have any inquiry regarding the matter.
We have assessed identity theft and fraud as the major risks presented to potentially affected individuals.
You should consider taking the following precautionary measures:
You should:
You should:
We shall contact all individuals whom we consider might have been affected with advice on the precautionary measures set out under Q5 above. Individuals may also register queries with our hotline 2929 2222 (for general public) or 2856 3123 (for CHOICE subscribers).
Yes. The Council’s complaint case management system operates independently of other systems of the Council. The operation has been confirmed to be operating normally after inspection.
Since the incident, the Council has also been fully supporting and collaborating with the forensic expert and the Police to improve its security measures from different perspectives and strength its network security.
Date: 22 September 2023