Hong Kong’s Cyberport apologised on Thursday after a data theft led to sensitive staff information being offered for sale on the dark web and pledged to invest resources as needed to strengthen network security, while also admitting the extent of the leak was still being investigated.
Top executives also said the board of the company managing the hi-tech park in Pok Fu Lam had decided to set up a working group to review the incident, make recommendations for improvements and support those affected.
Cyberport CEO Peter Yan King-shun told a media briefing that the data breach was confined to “some information stored in some parts of some servers” and maintained that no system-wide security loopholes existed. Neither was there any evidence of human error in the data breach, he added.
The tech hub had put enhanced measures in place after consultation with outside experts, which had allowed it to fend off similar attacks in recent weeks, he explained.
“[Staff] now need to take more time to access data and it’s not as convenient, but we think this is absolutely worth it, because we have indeed had some of our data stolen, so we must now put more weight on security,” Yan said.
Cyberport chairman Simon Chan Sai-ming on Thursday condemned the hackers and apologised.
“On behalf of the board, I would also like to offer an apology to those affected and for the concerns thus raised,” Chan said.
Management reported this week that files, including sensitive personal data about employees, former workers and job applicants, as well as credit card records, had been siphoned off in the mid-August cyberattack.
The tech hub came under fire from the government, former employees and internet security experts over its decision to only disclose the breach after reports emerged on social media weeks after it happened.
Yan said data forensic experts were still gathering information on the scope of the breach and individuals affected would be contacted as soon as they were identified. They would be offered a free service tracking any of their personal data, he pledged.
“I think our focus now is to try our best to minimise the impact on those who have been confirmed to be affected, so we are providing some tracking services so that they can protect themselves as much as possible,” Yan said.
The hackers reportedly demanded Cyberport pay US$300,000 for the return of the data by Tuesday or it would be sold on the dark web.
The tech hub confirmed that day the stolen information had appeared online, but management did not say whether it paid any ransom.
It said it had reported the case to police and the privacy watchdog.
In defending its disclosure decision, the tech hub said that at the time of the hacking, there was no evidence of any misuse of personal data and it did not want to cause any “unnecessary concern” by raising the alarm.
“We were subsequently made aware that some information available on the dark web could potentially be related to the incident and we immediately made a public announcement on [September 6] and contacted persons who may have been affected,” it said earlier.
A former employee of Cyberport, whose salary and bonus history was leaked, said she was “more furious” after she learned of the management response.
“[Yan] didn’t acknowledge Cyberport’s lack of cybersecurity measures to protect staff and start-ups’ information. He didn’t apologise. Only the chairman sort of apologised,” the woman, who worked at Cyberport for several years and left recently, said.
She said she kept in contact with some former colleagues through a WhatsApp chat group and added that she and other ex-staff were disappointed that the board’s response was “so mild, as if it was something very trivial”.
The woman also complained that Cyberport had so far not contacted her about the data breach and she only got to know she had become a victim after a friend visited the dark web to have a look and found her folder and some others with details on her ex-colleagues.
Technology minister Sun Dong on Wednesday said the government was deeply concerned about the incident.
He added he had instructed the tech hub’s management to make public additional information about the breach and cooperate with police and independent cybersecurity experts in their investigation of the attack.
The Hong Kong Computer Emergency Response Team Coordination Centre on Thursday advised companies to create strong data security policies and backup important information on a regular basis, which should also be stored in offline locations.
It also advised against the payment of ransoms for stolen information. The centre said there was no guarantee hackers would provide the decryption method or delete the information after they were paid.
“Even if the incident is resolved, the hackers may target the victim organisation again in the future, taking advantage of their vulnerability and attempting to extort the organisation with the same data or launch another attack,” it explained.