Cyber Incident Victim: Goldjoy
Date:
Jan 2018
Location:
Hong Kong
Summary
A Hong Kong travel agency experienced a cybersecurity breach where unauthorized parties accessed its customer database containing sensitive personal information, including names, ID card numbers, passport details, and phone numbers. Hackers demanded a ransom payment in bitcoin to release the compromised data, prompting the company to apologize, tighten security measures, and report the incident to authorities. Police investigated potential links to similar recent attacks targeting travel agencies, noting comparable hacking tactics across cases. The Privacy Commissioner highlighted concerns over the rising trend of such breaches, emphasizing the vulnerability of industries handling large volumes of personal data. External technical assistance was engaged to address system vulnerabilities following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 3, 2018, Hong Kong travel agency Goldjoy disclosed that unauthorized parties had accessed its customer database containing sensitive personal information, including names, ID card numbers, passport details, and phone numbers. This incident occurred alongside a simultaneous breach at Big Line Holiday, which reported on January 2 that hackers had potentially stolen customer data including ID card numbers, home return permit numbers, and phone numbers. Both agencies filed police reports on January 3, with authorities categorizing the cases as blackmail and initiating investigations through the Cyber Security and Technology Crime Bureau to determine potential connections between the attacks. Goldjoy, operating three branches, issued a public apology and announced immediate measures to strengthen cybersecurity, though specific technical details of the breach were not disclosed. Big Line Holiday, a larger agency with 13 branches specializing in mainland China and Asian tours, revealed it had received a ransom demand from perpetrators seeking payment in bitcoin—specifically 1 bitcoin valued at approximately HK$114,000—in exchange for releasing locked customer data.
The attacks represented the second and third such incidents targeting Hong Kong travel agencies within weeks, following a similar November 2017 breach. Police confirmed the hackers employed comparable tactics across both January cases, though investigators could not immediately determine the full scope of compromised data at Big Line Holiday due to encryption by the attackers. In response to the breaches, Big Line Holiday engaged external technical assistance to fix system vulnerabilities while notifying both police and the Office of the Privacy Commissioner for Personal Data. Privacy Commissioner Stephen Wong Kai-yi expressed concern over the rising trend of such incidents, emphasizing travel agencies' legal obligations under the Personal Data (Privacy) Ordinance to implement reasonable security measures. Concurrently, Undersecretary for Commerce and Economic Development Dr. Bernard Chan Pak-li visited Goldjoy's Admiralty branch, highlighting the availability of HK$10 million in government funding to help small and medium-sized travel agencies improve IT defenses amid growing cybersecurity threats to data-rich industries.