InvestHK opens probe into potential data leak following ransomware attack

Invest Hong Kong (InvestHK) has initiated an investigation into a potential personal data leak following a ransomware attack on part of its computer systems on Saturday (22 February).

Preliminary findings indicated that the affected areas included an internal customer relationship management (CRM) system, intranet and part of InvestHK's website operations, such as the function to contact InvestHK via the website form and events updates. 

While investigation is still underway to ascertain whether any personal data leakage is involved, preliminary assessments suggest that this can potentially include basic information on InvestHK's clients, such as the companies' contact information, and records of InvestHK staff. The organisation said it will inform relevant parties if and when further updates are available.

Meanwhile, InvestHK's public services remain normal. The public can continue to contact the staff of InvestHK through telephone, email or face-to-face meetings.

A spokesman for InvestHK said that upon identification of the incident, the department has taken immediate measures to tighten its IT security systems further to prevent further ransomware attacks. It has also followed established guidelines and procedures and reported the case to the police, the Digital Policy Office (DPO), the Office of the Privacy Commissioner for Personal Data and the Security Bureau respectively on the same day. InvestHK has condemned such malicious attacks and updated relevant access rights, isolated the affected systems, and activated backup procedures. 

The spokesman stressed that the department has been following government procedures on information and cybersecurity. To further strengthen its system security measures, it is seeking advice from the DPO and has appointed experts to assist with the investigation and recovery.

The spokesman added that InvestHK will not send embedded hyperlinks via emails, SMS messages or social media pages for collecting personal information or requesting for payment. It urges the public to stay alert and to refrain from clicking on any embedded links or providing any personal or financial information such as credit card information, or making any payment to suspicious emails or SMS messages.

Don't miss: HK privacy watchdog warns URA over data leak of 199 tenants and owners

InvestHK is not the only party in the city which came under fire for an alleged data leak. Most recently, Hong Kong’s privacy watchdog issued a warning letter to the Urban Renewal Authority (URA) for failing to prevent a leak of the personal data of 199 tenants and owners stored on a cloud platform.

The Office of the Privacy Commissioner for Personal Data (PCPD) released its investigation report on the data leak incident that the URA initially reported on 13 May 2024. The report highlighted that the personal data of members of the public stored on a URA cloud platform could be accessed by any person without inputting any account or password.

The incident affected the personal data of 199 owners and tenants who had replied to attend the briefing sessions. The affected personal data included telephone numbers, names of the contact persons and the details of their ownership or their correspondence addresses.

Related articles:

HK privacy watchdog uncovers security issues in Oxfam HK data leak
HK privacy watchdog slams EMSD over data leak involving 17,000 residents