Those affected should stay vigilant and watch out for unusual logins involving their personal emails as well as unauthorised transactions on their bank statements, the office warned.

The SCAA issued an apology on Facebook on Monday night, saying its computer servers had been subject to “unauthorised third-party intrusion” on Sunday.

The club acted immediately to shut down the affected computer equipment to “maximise the protection” of its members’ personal data, it said.

The association also invited professional internet security teams to conduct a comprehensive server inspection and repairs.

The club said it had reported the incident to police, stressing there was no evidence to suggest that members’ personal data had been leaked into the public domain.

‘More data security training needed amid wave of breaches in Hong Kong’

The association was founded in 1908 as a football team and gradually turned into a multi-discipline sports club, catering to the growing demands for athletic facilities in the city over the decades.

The latest available figures showed the club had more than 70,000 members as of 2021.

The privacy watchdog logged 157 data breach notifications in 2023, marking a nearly 50 per cent surge compared with the 105 cases logged the previous year.

Figures from the watchdog showed public sector enterprises accounted for 48, or nearly a third, of all reported data breach incidents last year.

The number of data breaches involving hacking also doubled from 29 in 2022 to 64 in 2023, accounting for about 41 per cent of all recorded cases.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said it was crucial for companies to hire internet security experts to reduce the risk of being hacked.

“In most cases, it’s because employees clicked on a virus-infected email, or there are vulnerabilities in the Wi-fi that give hackers an opportunity,” he said.

Many companies in the city had inadequate network security measures in place, he added.

Personal data of 25,000 Hongkongers at risk after cyberattack against watchdog

“Have the firewalls been upgraded? Has a network security vulnerability assessment been conducted? Are there any issues with employees’ work habits? Companies should conduct checks every three to six months and promptly update the software they use,” Fong said.

The city witnessed another data breach in early January, when the Social Welfare Department apologised after a contract staff member “improperly copied” the English names of 1,300 applicants for the Special Care Subsidy Scheme for Persons with Severe Disabilities to the internet.

The privacy watchdog last October discovered that the personal data of 2.6 million global users of Singapore-based online marketplace Carousell, including 324,232 Hong Kong account holders, was for sale on the dark web.

In September, tech hub Cyberport was blackmailed by a ransomware group that hacked its system and purportedly stole and encrypted its data including bank account information and soft copies of ID cards.

The group demanded US$300,000 for access to 400GB of the hub’s data.

That same month, the Consumer Council also revealed that the personal data of more than 25,000 people might have been leaked in a cyberattack.

Additional reporting by Jack Deng