One of Hong Kong’s largest travel agencies, WWPKG Holdings, revealed its customer database was hacked on Monday, putting at risk personal information such as ID card numbers and credit card information.
The agency, which specialises in tours to Japan, made a police report on Monday morning and shut down its website and offices.
Police officers from the cybersecurity and technology crime bureau were investigating the case, while a police source on Tuesday said the compromised computers were in both WWPKG’s main and branch offices, and used mainly by senior management.
Hackers have their sights on Hong Kong, cybersecurity experts warn
It is understood that an email address was left behind for staff members to make contact with the perpetrators.
“At this stage, there was no attempt to demand money from the company, but the [staff members] were asked whether they needed help to unlock the computers.
“We believe the move was to interrupt the company’s operation and ultimately demand money,” the police source said.
WWPKG Holdings, which is listed on the Hong Kong stock exchange, said an unauthorised party accessed their customer database on their system on Monday, which “may contain information such as their clients’ names, HKID card numbers, passport numbers, credit card information, phone numbers, email address, mailing address and purchase history”.
Its statement to the stock exchange did not reveal how many customers were potentially affected and if the data was stolen.
“We are reaching out to every possibly affected customer to alert him or her of this data breach and the potential exposure of personal information. We are committed to protecting our customers’ information and their privacy to ensure against any such incident in the future. We will continue to strengthen the security of our systems,” the statement read.
It added that the potential breach would not have “any material adverse impact on the group’s operation and financial condition”.
All four of its branches – in Tsim Sha Tsui, Mong Kok, Causeway Bay and Sha Tin – were closed on Tuesday and its website was also not available. In a Facebook post, the company said the closure was for a “computer security system upgrade” and its services would resume at 12pm on Wednesday. Customers should contact the agency at 3443 0880, the notice said.
When the Post called the hotline, a staff member said he could not confirm if any personal data had been compromised.
“At this moment, because all of the data has already been passed to the police, and because we are upgrading our computer system, we are unable to check [on this].
“But we will make calls personally if there are any problems regarding individual cases,” he added.
The police source said that the hackers were likely to be based overseas and that police would get help from their foreign counterparts to crack the case if necessary.
He believed the hackers used phishing tactics to find targets around the world.
Another police source said there had been several similar cases in Hong Kong each year but the victims did not end up paying money to the hackers.
The Post was told that in some of the previous cases, the hackers were from Russia and Indonesia.
Shares for WWPKG were down 1.16 per cent to HK$0.85 at 2.40pm on the Hong Kong stock exchange on Tuesday.
The city’s data privacy watchdog also said it had initiated a compliance check on WWPKG.
“The Privacy Commissioner is concerned about the incident, particularly since it may involve a large amount of sensitive, personal data,” a statement from the Office of the Privacy Commissioner for Personal Data said.
The office has the power to conduct compliance checks and formal investigations, if it believes a company may have violated the Personal Data Privacy Ordinance.