Over 600 people’s personal data stolen after school server hacked in latest cyberattack on local entities

A Hong Kong school has seen its computer system invaded by hackers, causing the personal data of over 600 people to be leaked. It is the latest known cyberattack targeting local groups and institutions in recent months.

Hong Kong Institute of Contemporary Culture Lee Shau Kee School of Creativity. Photo: Kyle Lam/HKFP.

Hong Kong Institute of Contemporary Culture Lee Shau Kee School of Creativity (HKICC), a liberal arts secondary school, said in a statement last Saturday that the school discovered a ransomware attack on its servers last Monday.

Data amounting to eight terabytes was encrypted and stolen. The data involved the personal information of current students and their families, graduates in and after 2021, teaching staff and the school’s tenants. Internal documents were also leaked, the school said.

The data breach came amid a wave of cyberattacks in which at least four groups have been the target of computer hacks since last August, including the technology park Cyberport, the private Union Hospital, the Consumer Council, and the Hong Kong College of Technology.

Photo: Rachel Johnson, via Flickr.

In response to HKFP on Tuesday, the school’s vice principal Ger Choi said all data was encrypted by hackers and that it was unclear if any data has been shared online. Investigation was ongoing.

Choi said the school had received a ransom note. “But we need to download another software to read the note. At this stage we did not know the details of the note,” Choi said in Cantonese.

The HKICC said it informed the Education Bureau, the police, Office Of The Privacy Commissioner For Personal Data (PCPC) and the Hong Kong Computer and Emergency Response Team and Coordinating Centre about the attack on the same day it learned about it.

The Office of the Privacy Commissioner for Personal Data. File photo: Peter Lee/HKFP.

The school apologised to the people affected and cautioned them to be alert to potential scams and messages from strangers.

Wave of cyberattacks

The Hong Kong College of Technology said earlier this month that the school suffered a ransomware attack in late February, leading to a data breach involving around 8,100 students.

In August last year, a hacker invaded Cyberport’s network and encrypted files on the server. The hackers demanded a ransom of US$300,000. Cyberport did not pay and 400GB of stolen data was later posted to the dark web, TVB reported.

Cyberport. File photo: GovHK.

In September last year, the Consumer Council’s computer system was hacked, resulting in a data breach involving the information of current and former staff, as well as 289 members of the public who had made complaints to the council.

Union Hospital saw its servers attacked by ransomware called LockBit in April, resulting in partial operational paralysis, local media outlets reported.

Help safeguard press freedom & keep HKFP free for all readers by supporting our team

© Hong Kong Free Press