The investment promotion arm of Hong Kong investigates the ransomware incident.
The Hong Kong government’s investment promotion arm has said it is checking whether any personal information was compromised following a ransomware attack on its computer systems.
InvestHK said on Sunday that preliminary findings revealed the attack, which occurred the day before, had affected areas including its internal customer relationship management system, intranet and sections of its website operations, such as the contact form and events updates.
Its public services remain unaffected. Members of the public can continue to contact staff through telephone, email or face-to-face meetings.
An InvestHK spokesman said risk assessments indicated that basic client information might be affected.
“Although this is an ongoing investigation, based on preliminary assessment, this could potentially include basic information on InvestHK’s clients, such as the companies’ contact information, and records of InvestHK staff,” he said.
“InvestHK will tell relevant parties if and when further updates are available.”
The agency said it had been following government procedures on information and cybersecurity.
It is seeking advice from the government’s Digital Policy Office to strengthen its system security measures and has appointed experts to assist with the investigation and recovery.
The Office of the Privacy Commissioner for Personal Data said it had received an incident report on Saturday and would initiate a compliance check in accordance with established mechanisms.
The InvestHK spokesman said it would not send embedded hyperlinks via emails, SMS messages or social media pages to gather personal information or request payments.
InvestHK urged the public to stay alert and refrain from clicking on embedded links. Residents should also avoid providing personal or financial information, such as credit card details, or making payments requested by suspicious emails or SMS messages.
The promotion body is working with police on the investigation.
According to the privacy watchdog, the city reported a significant increase in data breach notifications in 2024 at 203 cases, 30 per cent up from the previous year.
Of these, 67 came from the public sector, while 136 were from the private sector, and most were due to hacking.
Last year, the Electrical and Mechanical Services Department exposed the personal data of over 17,000 public housing tenants online due to a critical oversight, according to the watchdog.
The privacy watchdog also noted the department had failed to ensure data deletion after discontinuing an online form-filling platform used for Covid test registrations in 2022.
The Companies Registry also said in May that the design of its e-services portal by a contractor resulted in the transmission of additional personal data to the client’s computer during searches.
The personal data of around 110,000 people, including names, passport numbers, identity card information, addresses, phone numbers and email addresses, were potentially at risk of being leaked, it said.
The back-to-back incidents prompted the Office of the Government Chief Information Officer – the top information technology unit – to ask all bureaus and departments to review their computer security.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said authorities had previously required its departments and affiliated organisations to upload sensitive, personal data to a government cloud.
“This measure should have been in effect for some time,” he said, adding it was unclear how hackers managed to inject the ransomware into InvestHK’s network, although it was likely to be due to a network vulnerability, such as an outdated firewall or antivirus software.
He said another possibility was that a staff member’s device was compromised outside the network, allowing malware to be introduced upon reconnection.
He also said such incidents were not uncommon in other governments and jurisdictions.
“These hackers are really sophisticated nowadays … It is very difficult to completely avoid such incidents.”
