Latest News

In breach notification letters dated May 1, the company said the attackers accessed “certain 7-Eleven systems used to store franchisee documents.” 7-Eleven added that the affected files such as names, addresses, and other identifying information. The hackers claimed to have stolen more than 600,000 records connected to 7-Eleven. The group allegedly later published a 9.4GB archive of stolen files after ransom negotiations failed.

The incident adds 7-Eleven to a growing list of organizations reportedly targeted by ShinyHunters, including companies in education, retail, entertainment, healthcare, and technology. Roughly 185,300 people had their data exposed, according to a report from BleepingComputer.

A public GitHub repository containing highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency (CISA) has been revealed, based on information published by Tech Radar.

The repository, named "Private-CISA" and maintained by contractor Nightwing, exposed AWS administrative credentials, access keys, tokens, plaintext usernames and passwords for internal CISA systems, and SSH keys. Security researchers confirmed the authenticity of the leak, with some credentials reportedly still functional. The repository detailed CISA's internal software build and deployment processes.

A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible.

The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea for several hotels across Japan and relies on facial recognition and document scanning to check guests in.

The European Commission welcomes the political agreement reached today between the European Parliament and the Council of the EU on simpler, innovation-friendly rules for artificial intelligence (AI).

The Commission proposed the Digital Omnibus on AI only five months ago as part of the EU's simplification agenda to boost Europe's competitiveness. This will make the implementation of the AI Act for EU businesses easier while maintaining its benefits for European society, safety and fundamental rights.

As of 8 May, Chinese key regulators including CAC, NDRC and MIIT jointly issued the implementation guidelines to promote the standardized application and innovative development of AI agents, amid the country’s accelerated push to advance the “AI Plus” action.

The Chinese guidelines is a typical top-down approach with priorities on 19 scenarios  including critical sectors such as energy, agriculture, public transportation, healthcare, judiciary, e-government, education and banking finance.  

It is different from the bottom-up approach taken under the Model AI Govenance Framework for Agentic AI issued by Singapore IMDA earlier in January 2026.

The guidelines also encourage mandatory national standards for AIP adopted for specific sectors. It emphasizes AI security in particular supply chain security.

"The New AI Era: Data Protection & Cybersecurity in Higher Education"

Our distinguished speakers / panelist include:

• Mr. Alex Chan, Assistant Privacy Commissioner, Office of the Privacy Commissioner for Personal Data (PCPD)

• Mr. Raymond Lam, Chief Superintendent, Cyber Security and Technology Crime Bureau (CSTCB)

• Mr. Otto Lee, Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)

• Mr. Leonard Chan, MH, Founding Chairman, Hong Kong Innovative Technology Development Association (HKITDA)

• Prof. S.M. Yiu, Professor, School of Computing & Data Science, The University of Hong Kong (HKU)

In addition, we will have "the Little Grape" as the special guest for the afternoon!

Talks at the events:

• Navigating Data Privacy Risks in the Use of AI in Higher Education (by Mr. Alex Chan)

• Digital Resilience: The Industrialisation of Cybercrime (by Mr. Raymond Lam)

• Cybersecurity in Higher Education: Trends, Threats & Defences (by Mr. Otto Lee)

Panel Topic: Innovation vs. Third-Party Risk: Balancing Progress and Privacy

• Moderator: Mr. Leonard Chan, MH

• Panelists: Mr. Alex Chan, Mr. Raymond Lam, Mr. Otto Lee, Prof. S.M. Yiu

Registration:

For HKU staff: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=106167

For Non-HKU members: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?guest=Y&ueid=106169

Affected users will be prompted to do so when they next access NUS IT services, including their e-mails, VPN or other systems requiring NUS authorisation. 

As it continues to monitor the situation, NUS said Canvas has been placed under controlled access, adding that only selected users who require Canvas for critical academic or operational purposes will be granted access.

GeForce NOW user information has been exposed in a data breach. “Our investigation found no impact on NVIDIA-operated services. The issue is limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. ” the company said. The statement comes in response to a post last week on a hacker forum from a threat actor using the ShinyHunters nickname, claiming to have breached the GeForce NOW service and stolen millions of user records.

The gaming and hardware giant has clarified that the impact is limited to Armenia, and was caused by a compromise of the infrastructure operated by a regional partner.

The company added that its own network was not impacted by the incident.

A new investigation by Israeli cybersecurity firm Red Access found thousands of AI-generated web apps leaking data ranging from medical records to internal business documents. The findings add to mounting concerns about vibe coding, a fast-growing trend in which users rely heavily on AI tools to generate and deploy software with little or no traditional coding experience.

The investigation also found roughly 380,000 publicly accessible assets created with AI-powered coding tools such as Lovable, Replit, Netlify, and Base44. According to the researchers, about 5,000 of those apps exposed potentially sensitive information.

The exposed information reportedly included medical records, financial documents, chatbot conversations, schedules, and internal business materials.

A massive hacking attack on the widely used educational platform Canvas has compromised data and blocked access at approximately 9,000 institutions worldwide, including five in Hong Kong, as cybercriminals threaten to leak sensitive information if ransom demands are not met.

The Office of the Privacy Commissioner for Personal Data confirmed on Friday that the local institutions caught in the global breach include the Polytechnic University, the University of Science and Technology, the Academy for Performing Arts, the Hong Kong Institute of Construction, and Hong Kong Education City Limited.

Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility.

Instructure is a U.S.-based education technology company best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning.

• Carnival confirmed a supply‑chain breach affecting its Holland America Line loyalty program, with millions of customer records exposed

• ShinyHunters claimed responsibility, leaking 8.7 million records including personal details and millions of unique email addresses; including names, dates of birth, genders, and membership status details.

• Carnival acknowledges incident and notifies authorities, but downplays scope, describing it as a phishing compromise of a single account

騙徒層出不窮，專業人士、甚至公司高管都中招。警方透露，去年11月一名公司會計員工接獲一個由騙徒假冒的流動通訊軟件系統更新通知，受害人遂提供戶口驗證碼，令騙徒有機會查閲公司對話。其後騙徒假冒受害人公司的長期生意伙伴，訛稱匯款銀行賬戶已變更，並向該會計員工供三個個人賬戶，指示其匯款，受害人最後將接近1,900萬港元轉賬至上述戶口，損失巨大。

警方網絡安全及科技罪案調查科署理高級警司許綺惠指出，2025年釣魚騙案的損失金額高至1.1億元，平均每宗案件損失接近10萬元，較以往1.8萬元增加逾4.5倍。

原文網址: 釣魚詐騙｜會計員中通訊軟件更新陷阱　騙徒扮生意伙伴騙走1900萬 | 香港01 https://www.hk01.com/article/60339447?utm_source=01articlecopy&utm_medium=referral

Extortion group ShinyHunters has claimed a breach at Udemy, an e-learning platform. The hackers are threatening to release over 1.4 million records containing personally identifiable information and other corporate data. The claims haven’t yet been officially confirmed. Have I Been Pwned (HIBP), a data breach search engine, has added 1.4 million email addresses from the dump and confirmed that the data includes names, addresses, phone numbers, employer information and instructor payout method. 

For comparison, Udemy had an estimated 77 million e-learners in 2024, and the number is likely to have grown since then.

A private club failed to take all practicable steps to protect the personal data of its members following a ransomware-related data breach that affected more than 9,000 people, the Privacy Commission said following an investigation.

The investigation report released - Yau Yat Chuen Garden City Club’s 1,553 active members, supplementary card holders, former members and former supplementary card holders. Personal details taken in the breach included full names, identity card and passport numbers, dates of birth, email addresses, contact numbers and addresses.

專業旅運(1235)公布，近日發現部分內部伺服器及共享儲存系統出現未經授權存取情況。受影響數據需待獨立網絡安全專家調查確認，可能包括客戶訂單及相關營運紀錄；員工檔案及系統數據。目前正安排聘請第三方專業機構進行數據恢復。成立內部緊急委員會以協調應變工作。

https://www.hk01.com/article/60342105?utm_source=01articlecopy&utm_medium=referral

Related guidelines in English

- https://www.pcpd.org.hk/english/news_events/media_statements/press_20241118.html - guidelines published for Travel Agents in Nov 2024.

- Previous security incidents involving Big Line Holiday, WWPKG and Goldjoy Holidays - https://www.pcpd.org.hk/english/news_events/media_statements/press_20180104.html

請於2026年5月4日（星期一）下午 1:00 或之前填妥報名表格。成功報名者將於2026年5月4日（星期一）或之前收到確認電郵。

隨着數碼科技及人工智能（AI）技術迅速發展，騙徒利用不同渠道進行詐騙，例如釣魚短訊、即時通訊軟件騙局、社交媒體詐騙、虛假網店、二維碼陷阱，甚至利用AI製作深度偽造（deepfake）影片及以AI配音冒充家人、同事或服務提供者，令人防不勝防。

講座重點：

• 講解新興騙案趨勢

• 分享真實案例及防騙貼士

• 介紹使用 AI 聊天機械人、智能手機及社交媒體時的私隱風險

• 分享在數碼平台上保護個人資料的實用貼士

Do you think your digital "brain" stay with the company you supported after you left the company? Companies are increasingly replacing routine and even mid-level tasks with AI, leading to heightened job insecurity. AI just makes it faster, cheaper, and scalable. What used to take years of process documentation and knowledge transfer can now be compressed into a prompt file.

“Colleague.skill” is readily available on GitHub that housed a former employee’s documentations (and knowledge) into a digital avatar like a human colleague. There is also an “anti-distill.skill” tool released that can rewrite work documents to replace the core knowledge by some “correct but useless” content. 

China CAC has released draft regulations to govern the development and deployment of digital human. 数字虚拟人信息服务管理办法（征求意见稿）（China Digital Human Information Service Management Measures (Draft))(Chinese version): https://lnkd.in/gW6xKvgT

https://officechai.com/ai/chinas-workers-are-weaponizing-ai-against-each-other-through-colleague-skill-files-and-fighting-back/ 

An internal-use file mistakenly included in a software update pointed to an archive containing nearly 2,000 files and 500,000 lines of code, which were quickly copied to developer platform GitHub. A post on X sharing a link to the leaked code had more than 29m views early on Wednesday, and a rewritten version of the source code quickly became GitHub’s fastest-ever downloaded repository. Anthropic issued copyright takedown requests to try to contain the code’s spread. Within the code, users spotted blueprints for a Tamagotchi-esque coding assistant and an always-on AI agent, per the Verge.

The leaks could also help competitors, like OpenAI and Google, better understand how Claude Code’s AI system works.

4th April 2026 – (Hong Kong) The Hospital Authority has confirmed that patient records were exposed online after its monitoring system detected suspected unauthorised access and disclosure to a third‑party platform, reportedly linked to dark web forums. Speculation had circulated that as many as 270,000 medical records were involved.

The Privacy Commissioner’s Office confirmed it had received formal notification from the Hospital Authority and indicated that more than 56,000 individuals were affected. The compromised data is understood to include patients’ names, Hong Kong identity card numbers, gender, dates of birth, hospital reference numbers, appointment details and certain health information.

Chinese version: https://news.rthk.hk/rthk/ch/component/k2/1849931-20260404.htm - 醫管局有病人資料外洩已報警　私隱專員公署：逾5萬6千人受影響