Cyber Incident Victim: Web-based School Administrative and Management System

On December 5-6, 2019, Hong Kong’s Education Bureau confirmed a cyberattack targeting WebSAMS (Web-based School Administrative and Management System), a government-developed application used by most public and direct subsidy scheme schools for administrative operations. Eight schools experienced breaches, with three confirming data leaks. The incident came to light following media reports that La Salle Primary School in Kowloon City was compromised on December 5, prompting its principal to notify stakeholders that hackers had illegally retrieved server data. The Education Bureau dispatched specialists to affected schools to inspect IT systems, strengthen security, and provide support, though it did not disclose specific details regarding stolen data or all impacted institutions. Schools were advised to report incidents to police and the Privacy Commissioner for Personal Data.

WebSAMS stored highly sensitive information, including student addresses, birth dates, contact details, parent names, birth certificates, academic results, staff records, financial reports, and school allocation data. La Salle Primary suspended the system’s use and cooperated with law enforcement. Kowloon City Police Station initiated an investigation under Section 161 of the Crimes Ordinance for unauthorized computer access with dishonest intent, though no arrests were made. Affected parents expressed concern over potential misuse of personal data, while an IT professional speculated constant internet connectivity might have exposed vulnerabilities. The Education Bureau released a security update for WebSAMS and urged schools to install it. Education sector lawmaker Ip Kin-yuen called for government scrutiny of system loopholes and full disclosure to victims, warning the breach’s severity might be underestimated if hackers targeted additional schools.