Cyber Incident Victim: The University of Hong Kong
Date:
Jan 2024
Location:
Hong Kong
Summary
The University of Hong Kong's Faculty of Education experienced a cyberattack targeting its servers, prompting immediate isolation of affected systems and an investigation involving external cybersecurity experts. Preliminary findings indicated potential exfiltration of internal documents, including room booking records, administrative guidelines, system management files, and historical meeting materials, with compromised personal data involving approximately 400 academic visitors, 3,000 students’ academic statuses, and 4,000 research degree applicants—though no evidence suggested theft of financial details or identity numbers. The incident was reported to authorities, with affected parties notified and ongoing efforts to enhance cybersecurity protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 30, 2024, the Faculty of Education at the University of Hong Kong (HKU) experienced a cyberattack targeting its computer servers. The Faculty discovered the breach on the same day and immediately isolated the affected systems to prevent further unauthorized access. HKU’s Information Technology Services (ITS) and an external cybersecurity consultant initiated a comprehensive investigation into the incident. By February 2, 2024, investigators identified a log file indicating potential data exfiltration from the compromised servers. The analysis revealed that attackers may have accessed internal files spanning over a decade, including room booking records, internal operational guidelines, system management files, and meeting agenda papers and minutes dating back to 2012. Preliminary assessments suggested the exfiltrated data contained personal information of approximately 400 academic visitors, study status details of around 3,000 students, and application records of nearly 4,000 research degree programme applicants. The Faculty confirmed no evidence of exfiltration for highly sensitive data categories, including salary information, bank account details, or Hong Kong Identity Card (HKID) numbers.
The Faculty formally reported the incident to the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data (PCPD), aligning with regulatory obligations. It began notifying affected students, alumni, and other potentially impacted individuals about the breach while advising vigilance against potential misuse of personal data. A dedicated email address ([email protected]) was established for breach-related inquiries. The Faculty publicly condemned the cyberattack as unlawful and issued apologies for disruptions caused to those affected. Concurrently, ITS collaborated with the Faculty to review existing cybersecurity protocols, implement additional protective measures, and mitigate operational impacts stemming from the server isolation. No further data compromises were identified following the initial containment, though the Faculty indicated possible additional notifications pending ongoing investigative reviews.