Hong Kong’s Cyberport apologises over data theft and vows to improve security, but insists no human error involved

Hong Kong’s Cyberport apologised on Thursday over a data theft that led to sensitive staff data being offered for sale on the dark web and pledged to invest resources as needed to strengthen network security, while also admitting the extent of the leak was still being investigated.

Top executives also said the board of the company managing the hi-tech park in Pok Fu Lam decided to set up a working group to review the incident, make recommendations for improvements and support those affected.

Cyberport CEO Peter Yan King-shun told a media briefing that the data breach was confined to “some information stored in some parts of some servers” and maintained that no system-wide loopholes in security existed. Neither was there any evidence of human error in the data breach, he added.

The hub had put enhanced measures in place after consulting outside experts, allowing it to fend off similar attacks in recent weeks, he explained.

“[Staff] now need to take more time to access data and it’s not as convenient, but we think this is absolutely worth it, because we have indeed had some of our data stolen, so we must now put more weight on security,” Yan said.

Cyberport chairman Simon Chan Sai-ming on Thursday condemned the hackers and offered an apology.

“On behalf of the board, I also like to offer an apology to those affected and for the concerns thus raised,” Chan said.

Management reported last week that 400GB of files, including sensitive personal data belonging to employees, former workers and job applicants, as well as credit card records, had been siphoned off in the cyberattack in the middle of August.

Hong Kong’s technology chief condemns hacking attack on Cyberport

The tech hub came under fire from the government, former employees and internet security experts over its decision to only disclose the intrusion when reports of it emerged on social media weeks after it happened.

Yan said data forensic workers were still gathering information on the scope of the breach and individuals affected would be contacted as soon as they were identified. They would be offered a free service tracking any of their personal data, he pledged.

“I think our focus now is to try our best to minimise the impact on those who have been confirmed to be affected, so we are providing some tracking services so that they can protect themselves as much as possible,” he said.

Data stolen from Hong Kong Cyberport includes staff details, credit card records

The hackers reportedly demanded Cyberport pay US$300,000 for the return of the data by this past Tuesday or it would be sold on the dark web.

The tech hub confirmed that day the stolen information had appeared online, but management did not say whether it paid any ransom. It said it had reported the case to police and the privacy watchdog.

In defending its disclosure decision, the tech hub said that at the time of the hacking, there was no evidence of any misuse of personal data and it did not want to cause any “unnecessary concern” by raising the alarm.

“We were subsequently made aware that some information available on the dark web could potentially be related to the incident and we immediately made a public announcement on [September 6] and contacted persons who may have been affected,” it said earlier.

On Wednesday, technology minister Sun Dong said the government was deeply concerned about the incident. Sun said he had instructed the hub’s management to make public additional information about the intrusion and fully cooperate with police and independent cybersecurity experts in their investigation of the attack.

The Hong Kong Computer Emergency Response Team Coordination Centre on Thursday advised companies to establish a strong data security policy and regularly backup important data, which should also be stored in offline locations.

It also advised against paying ransom for stolen data, saying there was no guarantee hackers would provide the decryption method or delete the information after receiving payment.

“Even if the incident is resolved, the hackers may target the victim organisation again in the future, taking advantage of their vulnerability and attempting to extort the organisation with the same data or launch another attack,” it added.