Cyberport was hacked, and up to 400GB of data was torn off and put on the dark web for free download. Computer security researcher Lai Zhuodong questioned that hackers using the vulnerability of Cyberport two years ago to successfully steal data for blackmail, which is shocking, describing it as a serious negligence, plus hackers will exchange vulnerability information, there may continue to be different hackers to blackmail. He also mentioned that in the early years, Singapore amended its legislation to increase fines, and when there was a data breach, it would be immediately fined, but Hong Kong's legislation lacked deterrent.


LegCo Panel Panel member Ng Kit-chung pointed out that the incident reflected the lack of cyber security awareness of Cyberport, which was very serious, and believed that the Government needed to strengthen the supervision of data managers and formulate contingency plans.


Computer security researcher Lai Zhuodong said on the commercial station program "Departure on a Clear Day" that Cyberport manages different start-ups and technology companies, and it is impossible for such an accident to occur at its scale, and this time hackers have exploited vulnerabilities two years ago to attack and blackmail, but Cyberport should have penetration testing and regular patching of vulnerabilities, and in the end such incidents still occur, which is shocking and obviously grossly negligent.

Lai Zhuodong: Cyberport still has vulnerabilities in its online system

He also pointed out that the information shows that there are still vulnerabilities in the Internet online system in Cyberport, and hacker groups will communicate with each other privately, "like a New Year's Eve, a plating orange (blackmail) at your door, every two or three days the second organization is again plating oranges, so serious", he has assisted the blackmail organization in the past, even if paying the ransom does not mean that the data will not be leaked, there may be a second hacker group to find the door, "in a few months there will be a second one, and the second one will be obtained once to the second".

Lai Zhuodong also mentioned that Singapore has amended the law in the early years, when a company has a data breach, regardless of the reason, it can be fined 100 million Singapore dollars or 10% of the company's income in the current year. On the contrary, the Office of the Privacy Commissioner can only investigate and warn incidents, and at present it is impossible to target the leakage of punitive information, which lacks deterrence and urges the Government to review its policies.

Lai Zhuodong. (Photo by Hong Yeming)

The Privacy Department recommends that organisations report data breaches

At present, the Office of the Privacy Commissioner has a "Data Breach Incident Notification", which does not require data users to notify the Privacy Department of the breach, but data users are advised to do so to properly handle the incident.

Under the PDPO, which requires data users to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use, the Privacy Commissioner may issue an enforcement notice to a person who is proven to have violated the law for rectification, which is punishable by a fine of up to $5,1000 and imprisonment for two years, plus a daily fine of $10,2000; Repeat offenders are liable to a maximum fine of $<>,<> and imprisonment for two years, plus a daily fine of $<>,<>.

Wu Jiezhuang. (Photo by Lu Yiming)

Wu Jiezhuang: Legislation for immediate punishment requires social consensus

LegCo Panel Panel member Ng Kit-chung said that the data leaked in Cyberport involved sensitive data of employees, reflecting a lack of cyber security awareness and a very serious incident, and believed that the government needed to strengthen supervision over data managers, and once data breaches could be dealt with with by mechanisms and actions, he believed that social consensus was needed as to whether it was necessary to imitate other places and punish them immediately when an accident occurred.

He also pointed out that hackers will be surrounded by "predators", and it is estimated that Cyberport is not only blackmailed in Hong Kong, but believes that the relevant committees of the Legislative Council will discuss the incident.

Sun Dong: Hong Kong law can play a role in severely punishing you

On another occasion today, the Secretary for Innovation, Technology and Industry, Mr Sun Dong, was asked that there are currently no penalties for data leakage in Hong Kong, but he only reiterated that cybercrime and other existing offences are "criminal acts", stressing that the relevant laws in Hong Kong "can play a role, please do not worry, once we investigate clearly, we will definitely impose severe legal punishment."

Hacking into Cyberport|refers to being attacked again in the past few weeks Sun Dong: Instructions have been given to improve security measures hacking into Cyberport|Dark web can check leaked employee salary resumes Experts criticize low security awareness Cyberport data leakage|The types of data that may be stolen and how to confirm whether they are affected are clearly read in the article