Cyber Incident Victim: Hong Kong Consumer Council
Date:
Sep 2023
Location:
Hong Kong
Summary
The Hong Kong Consumer Council suffered a ransomware attack that compromised approximately 80% of its computer systems, disrupting complaint hotlines, subscription services, and price comparison tools. Attackers exfiltrated an estimated 65GB of data, potentially exposing sensitive information including current and former staff HKID numbers, family member details, credit card data of around 8,000 CHOICE magazine subscribers, and job applicant records. The Council refused a $500,000 ransom demand, engaged forensic experts, notified police and privacy authorities, and restored most services while continuing email system repairs. This incident occurred amid heightened cybersecurity concerns following a separate data breach at Hong Kong's Cyberport weeks earlier, prompting broader institutional security reviews across the region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 20, 2023, the Hong Kong Consumer Council identified a malicious ransomware attack against its computer systems, which caused approximately 80% damage to its infrastructure. The attack disrupted complaint and CHOICE magazine subscription hotline services and delayed updates to online price comparison tools. Emergency repairs restored hotline operations, though the email system remained under repair. Forensic analysis indicated the cyberattack likely occurred the previous night, lasting around seven hours, during which an unusual 65GB data transfer volume was observed. The attackers left a ransom note claiming possession of employee and client data, including internal documents, and demanded US$500,000 (HK$3.9 million) by September 23, threatening to increase the demand to US$700,000 (HK$5.5 million) if unpaid. The Council immediately engaged forensic experts, reported the incident to the Hong Kong Police Force on September 21, and notified the Office of the Privacy Commissioner for Personal Data. It confirmed its complaint case management system operated independently and was unaffected.
Preliminary investigations revealed potential exposure of sensitive data, including Hong Kong ID numbers of current and former staff and their family members, credit card information for approximately 8,000 CHOICE magazine subscribers, and records of job applicants. While no evidence confirmed data misuse, the Council advised potentially affected individuals to assume compromise and monitor for identity theft or fraud. This incident followed a separate August data breach at Hong Kong’s Cyberport tech hub, disclosed publicly on September 6, which had prompted government directives to strengthen cybersecurity across public organizations. The Consumer Council stated it had recently reviewed its security measures following the Cyberport incident but acknowledged the difficulty of achieving absolute protection against sophisticated attacks. It refused to pay the ransom, condemned the hackers’ actions, and committed full cooperation with law enforcement while apologizing for service disruptions.