Latest News

Europol, the European Union's law enforcement agency, confirmed that its Europol Platform for Experts (EPE) portal was breached and is now investigating the incident after a threat actor claimed they stole For Official Use Only (FOUO) documents containing classified data. 

EPE is an online platform law enforcement experts use to "share knowledge, best practices and non-personal data on crime."

The attackers gained access to the affected people's names, Social Security numbers, and other personal identifiers. 

While the Ohio Lottery didn't reveal the nature of the incident, which affected mobile and prize-cashing operations, the DragonForce ransomware gang claimed the attack days later. The threat actors claimed they encrypted devices and stole documents belonging to both Ohio Lottery customers and employees.

Dell states that the following information was accessed by the threat actor during the breach - Name, Physical address, Dell hardware and order information, including service tag, item description, date of order, and related warranty information. 

As first reported by Daily Dark Web, a threat actor named Menelik attempted to sell a Dell database on the Breach Forums hacking forum on April 28th. The threat actor said they stole data from the computer maker for "49 million customer and other information systems purchased from Dell between 2017-2024."

The specialists ramped up their warnings after jewellery chain Luk Fook Holdings said on Friday it was verifying claims a hacker accessed the records of 5 million customers and was seeking a ransom of more than HK$190,000 (US$24,310) in cryptocurrency.

The Hong Kong College of Technology also said it was hit by a “highly targeted and unusual cyberattack” in February which leaked personal information concerning about 8,100 students. A ransomware group was believed to have stolen 450GB of data and shared the information on the dark web earlier this week.

Cybercrime is the third largest economy globally, with geopolitical tensions, digital warfare has surfaced to areas we didn't expect. In year 2000, not too long ago, companies are begging American giants like Sun Microsystems, Cisco, IBM for speeding up their orders, routers with ACL is already considered advanced security feature. In 2001, Israeli market leader Checkpoint was heavily promoting through distrbutor, and still companies are skeptical about Software-based Firewall (with stateful inspection capability). Twenty three years later, technology alone isn't enough, and blaming I.T. isn't a solution anymore in government, large enterprises, or mid-size companies.

HKCT: The attack was not ordinary, it was highly targeted and unusual

A spokesman for the HKCT said that in late February, it was discovered that it had been subjected to a ransomware attack by high-level persistent hackers, the IT network and file servers had been illegally intruded, some documents and files had been stolen and encrypted, which may have involved the leakage of some school documents or personal data. The spokesman emphasised that the attack was not an ordinary attack but a highly targeted and unusual cyber attack.

The school said it immediately took corresponding actions, including reporting the incident to the Police and filing a case with the Office of the Privacy Commissioner for Personal Data.

It can be seen from the dark web information that the hacker hacked into the computer system of HKCT on February 13, stole a total of 450GB of data, and then encrypted and blackmailed the school.

Additional news: HKCT Document Server Compromised or Partial School Documents or Personal Data Leakage - RTHK

Hong Kong fire service reports potential leak of personal data of 5,000 staff, members of public

• It is third online security incident concerning government departments revealed in a week

• Latest incident occurred on Friday when an outsourced contractor handled data migration procedure, Fire Services Department says

The department added that 960 incomplete identity card numbers of staff were also involved.

In Chinese: https://www.hk01.com/%E7%A4%BE%E6%9C%83%E6%96%B0%E8%81%9E/1017020

The Office of the Government Chief Information Office has requested all government departments to comprehensively review information security and personal data storage public cloud platforms within a week.

Additional information: 

https://inews.hket.com/article/3754059/

https://www.stheadline.com/society/3340936

The Company Registry has reported the case to the Security Bureau, the Office of the Government Chief Information Officer and the Office of the Privacy Commissioner for Personal Data. 

As of May 3, the Companies Registry (CR) said today that urgent maintenance of its e-Services Portal to block any risk of further leakage of personal data had been completed. The CR had also completed the relevant investigation. 

Other information: 

Company Registry System 3 Vulnerability 110,000 directors' personal information leaked Name ID card for viewing - https://www.hk01.com/article/1016277?utm_source=01articlecopy&utm_medium=referral

Hong Kong’s consumer watchdog breached privacy rules when the personal information of more than 470 people was leaked in a cybersecurity attack. Email alert system also failed to notify watchdog of attack last September, with council only learning about incident once US$500,000 ransom request was sent

Additional info - https://www.scmp.com/news/hong-kong/society/article/3262885/phone-apps-filter-spam-calls-hong-kong-users-found-compromise-their-data-watchdog?fbclid=IwZXh0bgNhZW0CMTEAAR1NsB74bYNbEqQJUdHwKx7cw898jILb3qOw0-2msrte1gmLCzVST84GeFI_aem_ZmFrZWR1bW15MTZieXRlcw

The Privacy Commissioner has served an Enforcement Notice on the Consumer Council, directing it to remedy the contravention and prevent similar recurrence of the contravention.

• Adopt multi-factor authentication for remote access to information and communications systems to minimise the risk of attacks targeting information systems;

• Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks, thereby reducing the possibility of cyberattacks and the risk of data leakage;

• Conduct regular risk assessments and security audits of information systems;

• Establish a corporate culture that values data security; and

• Devise effective training plans to enhance staff awareness and competence in data security and personal data protection.

The Privacy Awareness Week (PAW) is an annual event jointly supported by members of the Asia Pacific Privacy Authorities (APPA) to raise the awareness of the protection of personal data privacy by members of the public. This year, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) is organising the PAW 2024 from 10 to 16 May under the theme of “Safeguard Data Security • Safeguard Privacy!”.

Hong Kong Arts Development Council stated that the incident was happened last Friday.; immediately activated its emergency response mechanism to prevent further intrusion by the hackers. It also commissioned network security experts for t a comprehensive investigation and reported to PCPD, Hong Kong Police and Culture, Sports and Tourist Board. 

April 25 (Reuters) - U.S. health conglomerate Kaiser is notifying millions of its members of a data breach earlier this month, it reported in a notice posted on Thursday.

The Kaiser Foundation Health Plan confirmed that 13.4 million residents had their information taken in a data breach, as per a legally required notice filed with the U.S. government on April 12 and reported on Thursday.

SINGAPORE: A data breach at one of its vendors has resulted in the "unauthorised access" of names and email addresses of parents and staff from five primary schools and 122 secondary schools, the Ministry of Education (MOE) said on Friday (Apr 19).

MOE said it was notified by Mobile Guardian that its user management portal had been breached on Wednesday, with the incident occurring at the company's headquarters in Surrey, United Kingdom.

U.S. law firm Orrick, Herrington & Sutcliffe has agreed to pay $8 million to settle class action claims from people who said their personal information was compromised in a breach of some of the firm's client data, according to a proposed settlement, opens new tab filed Thursday in San Francisco federal court.

Hackers accessed the names, addresses, dates of birth, and Social Security numbers of more than 600,000 people that were contained in files held by Orrick, the plaintiffs said, opens new tab. Orrick detected the data breach in March 2023.

Plaintiffs alleged Orrick did not inform them of the data breach until late June last year. Thursday's court papers said that "by January 2024, Orrick had sent notice letters to impacted individuals consistent with its data breach notification obligations."

The gov CIO, Ir. Tong Wong, JP was invited to provide an overview of the facilitation measures of the Standard Contract (SC) Within GBA. The Privacy Commissioner, Ms Ada CHUNG Lai-ling, and Senior Legal Counsel (Acting) of the PCPD, Ms Clemence Wong, also explained the obligations and responsibilities of contracting parties under the GBA SC.

https://www.pcpd.org.hk/english/whatsnew/files/20240409_PCPD.pdf

https://www.pcpd.org.hk/english/whatsnew/files/20240409_OGCIO.pdf

(only Chinese version is available)

Hackers believed to be operating within the country illegally gained access to the network of the government agencies including the Department of Science and Technology (DOST), compromising 2-terabyte worth of data, including research plans, designs and schematics, the Department of Information and Communications Technology (DICT) confirmed on Wednesday.

https://www.pcpd.org.hk/english/news_events/media_statements/press_20240402.html

Investigation Report: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r24_12170_e.pdf - Deficiencies include:

1. Lack of effective detection measures in Cyberport’s information systems;

2. Failure to enable MFA for remote access ;

3. Insufficient security audits of the information systems;

4. Lack of concrete cybersecurity framework; and

5. Unnecessary retention of personal data

NEW YORK (AP) — The theft of sensitive information belonging to millions of AT&T’s current and former customers has been recently discovered online. AT&T said that a dataset found on the “dark web” contains information including some Social Security numbers and passcodes for about 7.6 million current account holders and 65.4 million former account holders. 

Full names, email addresses, mailing address, phone numbers, dates of birth and AT&T account numbers may have also been compromised. The impacted data is from 2019 or earlier and does not appear to include financial information or call history, the company said.

Presentation link (Chin) 

https://www.pcpd.org.hk/english/whatsnew/files/Brad_240319.pdf

https://www.pcpd.org.hk/english/whatsnew/files/HKIRC_Arktos_240319.pdf

PCPD/HKIRC Topical Seminar on “Responding to Cyber Security Threats and Data Breaches” registration - https://www.pcpd.org.hk/spec_event/spec_event76_apply.php