Cyber Incident Victim: Big Line Holiday
Date:
Jan 2018
Location:
Hong Kong
Summary
A Hong Kong travel agency, Big Line Holiday, suffered a cyberattack where hackers potentially accessed customer data including identification documents and phone numbers, demanding a ransom of one bitcoin for the information's release. The agency implemented immediate security enhancements, engaged external technical support, and reported the incident to authorities, while the Privacy Commissioner highlighted concerns over a rising trend of such breaches targeting travel firms holding sensitive data. This incident followed similar attacks on other local agencies, underscoring vulnerabilities in small and medium-sized enterprises with limited cybersecurity preparedness.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 2, 2018, Big Line Holiday, a Hong Kong-based travel agency with 13 branches specializing in tours to mainland China and Asia, disclosed that hackers had potentially breached its customer database the previous day. The attackers gained unauthorized access to sensitive personal information, including customers' ID card numbers, home return permit numbers, and phone numbers. Big Line Holiday confirmed receiving a ransom letter from the perpetrators demanding payment in bitcoin for the release of the locked data, with police sources specifying the demand as 1 bitcoin (equivalent to HK$114,000 or US$14,500 at the time). The company reported the incident to Hong Kong police on January 2, who classified the case as blackmail and initiated an investigation through the Cyber Security and Technology Crime Bureau to determine potential connections to a contemporaneous attack on another agency, Goldjoy. Big Line Holiday issued a public apology to affected clients, emphasizing its commitment to resolving the breach through immediate countermeasures including network security enhancements and engagement of external technical experts to identify and repair system vulnerabilities. The company also notified Hong Kong's Privacy Commissioner for Personal Data about the incident.
The Privacy Commissioner's office launched a compliance check on Big Line Holiday, expressing particular concern about the potential scale of compromised sensitive data and reminding travel agencies of their legal obligations under the Personal Data (Privacy) Ordinance to implement practicable security measures. Police investigators noted challenges in determining the full scope of compromised records since the data remained encrypted by the attackers. The incident occurred amid a rising trend of cyberattacks targeting Hong Kong travel agencies, with two other agencies reporting similar breaches within the preceding two months, prompting government Undersecretary for Commerce and Economic Development Dr. Bernard Chan Pak-li to highlight the availability of HK$10 million in funding for small-to-medium-sized travel agencies to improve IT defenses. Industry experts, including Hong Kong Information Technology Federation president Francis Fong Po-kiu, observed that travel agencies' extensive collection of current customer data made them attractive targets, particularly given the sector's generally lower cybersecurity preparedness compared to larger enterprises.