Cyber Incident Victim: Drug Safety Testing Center (DSC)
Date:
May 2025
Location:
Hong Kong
Summary
The Drug Safety Testing Center (DSC) experienced a ransomware attack on part of its computer system, compromising data of approximately thirty employees and twenty customers. Upon discovery, the center disconnected and isolated the affected servers, activated an incident task force, and reported the matter to police. Authorities including the Innovation, Technology and Industry Bureau, Innovation and Technology Commission, Digital Policy Office, and the Office of the Privacy Commissioner for Personal Data were notified in line with procedure. The center is working with its outsourced contractor and cybersecurity experts, informing affected individuals and organizations as appropriate, and cooperating with the police investigation. An independent third‑party cybersecurity expert has been engaged to review the incident, conduct remediation, and produce an investigation report.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Drug Safety Testing Center (DSC) discovered an information security incident on 12 May 2025 when a malicious ransomware attack was detected on part of its computer system. The DSC’s systems operate independently from those of the Hong Kong Science and Technology Parks Corporation (HKSTP), with its information security functions managed by an outsourced contractor. Upon detection, the center immediately disconnected and isolated the affected servers from the relevant network to prevent further intrusion. An incident task force was activated to coordinate the response, and the case was reported to the police as required by procedure. In parallel, DSC implemented enhanced security measures to limit the spread of the ransomware and protect remaining assets.
The ransomware compromise involved the personal data of approximately 30 DSC employees and 20 customers of the center. Following established protocols, DSC notified the Innovation, Technology and Industry Bureau, the Innovation and Technology Commission, the Digital Policy Office, and the Office of the Privacy Commissioner for Personal Data. The testing center maintained close communication with its outsourced contractor and engaged cybersecurity experts to assist with the investigation. Affected organisations and individuals were notified as appropriate, and HKSTP affirmed its full cooperation with the ongoing police investigation. To ensure a thorough review, an independent third‑party cybersecurity expert was commissioned to analyze the incident, support remediation efforts, and produce an investigation report.
DSC was launched in 2022 to provide Good Laboratory Practice (GLP) preclinical services for evaluating the safety of therapeutic solutions and medical devices. The HKSTP spokesperson emphasized that information and network security have remained a priority for the organization. The statement concluded by advising the public to contact the police or HKSTP immediately if they receive any suspicious emails or messages purporting to be from the Drug Safety Testing Center.