Cyber Incident Victim: Hong Kong Institute of Contemporary Culture Lee Shau Kee School of Creativity
Date:
May 2024
Location:
Hong Kong
Summary
A Hong Kong secondary school experienced a ransomware attack compromising approximately 8TB of data, including personal information of current students, recent graduates, parents, staff, and tenants alongside academic documents. Hackers encrypted the data and left a ransom note, though its contents remained unreadable pending specialized software. The institution immediately isolated its network, notified authorities and affected individuals, and initiated system-wide security scans and reinstalls expected to take over a week. While the full extent of data exposure remains undetermined, the incident follows a pattern of recent cyberattacks targeting local organizations. The school issued warnings about potential scams stemming from the breach and committed to strengthening its cybersecurity protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 13, 2024, IT staff at Hong Kong Institute of Contemporary Culture Lee Shau Kee School of Creativity (HKICC) discovered a ransomware attack compromising the school’s server. Hackers encrypted approximately 8TB of data spanning four years, affecting graduating students from 2021 onward, current students, registered parents, staff members, tenant records, and academic documents. The institution immediately shut down its campus network and wireless systems to contain the breach. That same day, HKICC reported the incident to the Education Bureau, Hong Kong Police, Office of the Privacy Commissioner for Personal Data (PCPD), and Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). Notifications were issued to current students and parents, with plans to inform alumni and tenants after data restoration. The school initiated comprehensive server scans and system reinstallations across all college computers, estimating at least one week for completion. Vice Principal Ger Choi confirmed the attackers left a ransom note requiring specialized software to access, though specific demands remained unknown during initial investigations. HKICC maintained uncertainty regarding whether exfiltrated data had been leaked publicly but advised affected individuals to exercise caution against unknown communications and potential scams.
The attack forced prolonged closure of the school’s intranet and wireless networks, with temporary internet access provisions implemented solely for teaching activities. Full network restoration was contingent upon completing security scans and eliminating all identified vulnerabilities. Over 600 individuals had personal data compromised, including sensitive information from students, families, staff, and tenant organizations. HKICC publicly apologized for the security risks and disruptions, emphasizing efforts to trace system vulnerabilities and update information security protocols. This incident occurred amid escalating cyberattacks targeting Hong Kong entities since August 2023, including ransomware breaches at Cyberport, Union Hospital, Consumer Council, and Hong Kong College of Technology—the latter experiencing a February 2024 attack compromising 8,100 student records. While HKICC collaborated with authorities to investigate the attack’s origins, no conclusive evidence emerged regarding external data dissemination or attacker identities during the initial response phase. Restoration priorities focused on rebuilding systems securely rather than negotiating with perpetrators, mirroring Cyberport’s approach during its 2023 breach where refused ransom payments led to dark web data leaks.