“Having discovered these safety hazards in our investigation, the force has contacted 80 local internet service providers to rectify the loopholes,” Joe Lau Ngo-chung, chief inspector of the force’s cybersecurity division, told the media at a briefing last Wednesday.

Several statutory bodies and prominent companies were among those that fell victim to hackers last year.

At Cyberport, the city’s technology hub, more than 400GB of data, including bank account information and identity card copies of its staff, was stolen in a ransomware attack last September.

The hackers demanded US$300,000 as ransom, threatening to release the information on the dark web, where criminals buy and sell data to use for scams and other illegal purposes. The ransom was not paid.

CEO of Hong Kong’s Cyberport to step down, sparking search for new boss

A week after that attack, hackers targeted the Consumer Council, taking the personal data of more than 25,000 staff, former employees, subscribers to its in-house magazine and participants of previous events. The hackers demanded a US$500,000 ransom, which the consumer watchdog did not pay.

Acting Senior Superintendent Baron Chan Shun-ching of the force’s cybersecurity and technology crime bureau said losses from cyberattacks shot up last year from a handful of cases involving large sums.

In the biggest case, a man allegedly stole HK$710,000 from his former employer over 14 months through unauthorised access to the firm’s internal systems.

The company reported to police and the case was still being investigated, Chan said.

In the five-month online sweep code-named “Operation Strongfighter”, police found 175,970 devices with serious internet safety loopholes after analysing more than 3 million pieces of data suggesting items were vulnerable to hacking.

These included 100,000 remote controls for high-risk network connection points, nearly 63,000 computer systems that were no longer supported and more than 4,800 out-of-date networks attached to storage devices.

Hong Kong Consumer Council falls victim to hackers 1 month after tech hub attacked

Nearly 40,000 other internet threats were detected and removed, most of them phishing websites used to trick victims into revealing their confidential information. The rest were 60 computers that controlled networks of bots and 4,006 computers taken over by hackers.

Police also took part in an international exercise organised by Interpol between September and last month against phishing websites, malware and ransomware.

The Hong Kong Police Force came up tops among 55 countries and regions for the number of busts, having removed 153 malware and phishing sites.

Paul Tsang Cheung-fai, a systems engineer director at Sangfor Technologies, said hackers usually began by searching for targets on social media, search engines or online port scans for vulnerable internet protocol (IP) addresses.

Once a target address was identified, the hackers would try to guess the password to gain access to data in the computerised device, before offering the stolen data for sale on the dark web.

Tsang said that once the hackers find out the victim’s password, they have the upper hand.

“They can conduct more in-depth attacks, such as installing a back-door program, and once the program is installed, they can conduct further actions such as controlling the device’s camera,” he said.

Senior Inspector Lau urged businesses to keep their systems up-to-date and use strong passwords.

He said he had come across firms which used weak, intuitive passwords such as “Admin” for their web administrator accounts, while others ignored risk alerts from safety scans on their own systems, exposing them to possible cyberattacks.

“Hackers first look for widely known loopholes in their scans,” he said. “If businesses have not updated their software and systems, cyberattackers could exploit them for further attacks.”