The Consumer Council confirmed today (22 September 2023) that a malicious ransomware attack against its computer system was identified on Wednesday morning (20 September 2023). The attack has resulted in almost 80% damage of the computer system, causing disruption to its hotline services and update of price comparison tools. The Council has taken immediate action to strengthen the security measures of the system to prevent further attack by the hacker, whilst appointing a forensic expert immediately to conduct investigations. Hotline services have currently resumed after emergency repairs. The case was reported to the Police yesterday morning (21 September 2023), and the Council has also proactively notified the Office of the Privacy Commissioner for Personal Data of the incident.
The ransomware note claims to have obtained certain data from the Council’s computer system, including employees and clients’ data, and other internal record documents. Since the cyberattack, the Council has been working closely with the forensic expert to thoroughly investigate the system. It has been verified that a data transfer volume of 65GB higher than usual was observed during some 7 hours of attack, yet it remains to be confirmed whether a personal data breach was involved and the scope of coverage. For any further updates, the Council will announce immediately via various channels, including its official website and social media pages. Furthermore, the Council will make every effort to reach out to the possibly affected data subjects in the next few days, urging them to stay vigilant, exercise increased caution and never open or click on suspicious links, emails or messages to ensure cybersecurity. The Council will also provide FAQs on its website for potentially affected data subjects’ reference and information.
Although the content of the suspected breached data is yet to be confirmed, based on risk assessment, it potentially involves the following four types of individuals and their data:
- Data of current and former staff and their family members, and job applicants, such as HKID number, address, date of birth and CVs;
- CHOICE subscribers’ data, including that of 8,000 subscribers who had provided their credit card information to the Council;
- Complainants’ data, but as the complaint case management system operates independently, the operation was confirmed to be largely normal after inspection;
- Stored data of the Council’s work partners, including company address, contact number, email, and possibly some mobile numbers.
The Council strongly condemns the unlawful cyber activity of hackers and will not succumb to ransomware extortion. The Council will continue to fully support the investigative efforts of the Hong Kong Police Force to bring the culprits to justice, so as to enforce cybersecurity and safeguard consumer interests. The Council expresses its sincere apologies for the inconvenience caused to the public.
Potentially affected individuals should exercise vigilance to guard against identity theft or fraud. To safeguard personal data privacy, the following measures should be taken:
- Reset and regularly change online account passwords, and enable multi-factor authentication (if available);
- (If credit card information was provided) notify the credit card issuer that the card might have been compromised and/or request a replacement card;
- Regularly review bank account statements and messages in order to identify any unauthorized or suspicious activities;
- Observe any unusual login or message exchange records in personal email or accounts;
- Exercise extra precaution when receiving unknown or suspicious calls, SMS or emails; do not casually open attachments or disclose personal information;
- Verify source of calls, SMS or emails from the Council. If in doubt, contact the Council via its official hotline (29292222). Please note that the Council will not solicit users’ account numbers, passwords and login details, or request you to enter into transaction, via these communication channels; and
- Exercise extra vigilance against phishing and other fraudulent behaviour.