Early morning on November 30, I turned on my computer to find – gobbledegook. Any sleepiness evaporated as I discovered that my server had been hacked into. All the files had been encrypted. Eventually, we found a ransom note inviting payment of US$3,000 in bitcoin if we wanted the key to “decrypt” the files on our server. Over the next two weeks, we struggled in vain to recover the files. We contacted Hong Kong’s cybercrime unit and spent a long but futile night in Tseung Kwan O police station compiling a police report. That exercise was useless in terms of recovery, but I suppose could be important if you or your company has a relevant insurance policy. We did not explore the bitcoin market or pay the hackers. I suppose, by now, they have thrown away the “key”. We began the painstaking process of reinstalling and rebuilding our computer system. Our information technology provider was next to useless – fine for basic system upkeep, but hopelessly inexpert at giving advice on data recovery. He quickly recommended that we pay the ransom. At times like this, you realise that the people best equipped to rescue your system are the people best equipped to hack it. Six weeks later, there are holes that we have not fully recovered, but we will live without them. Luckily, I have no sensitive data, client files or confidential customer information. For many other companies, the headache could have been far, far worse. Perhaps that was why they were asking for just US$3,000. According to PurpleSec, the US cybersecurity firm, the average cost of a ransomware attack is US$133,000. As I begin to feel less angry, I remind myself of when my house was burgled 10 years ago while I was away on business in Beijing. I returned to find nothing stolen except two punnets of Häagen-Dazs ice cream – they left the empty punnets on my table. Sometimes it is lucky to realise you have nothing worth stealing. The main upset is the sense of vulnerability – that people with evil intent had tramped uninvited about your rooms, rummaged through your clothing, used your toilet. Imagine then, the sense of panic felt across the United States in December when cybersecurity group FireEye admitted it had been hacked into, and it was discovered that SolarWinds , a software supplier to over 300,000 companies and government departments, had unwittingly sold contaminated Orion software to at least 18,000 of them. The perpetrators were not tawdry malware hackers set on lining their pockets with ransom, but a group of state-supported spies, thought to be from Russia , who used the opening provided by the SolarWinds software to creep around, undetected, inside carefully targeted companies and government departments for at least nine months. It reminds me of those wasps that inject their eggs inside a caterpillar, and then leave the infant wasps to consume the caterpillars from the inside. The scope of the invasion is awesome. So far, the list of affected US government departments includes the Commerce Department, Department of Homeland Security, Pentagon, US Treasury, US Postal Service, Department of Energy, and National Institutes of Health. Even now, the investigators do not know how long the invaders have been roaming, what they were seeking, and what they have taken away. It powerfully illustrates the alarming growth of cybercrime in its many forms. A report from the Centre for Strategic and International Studies (CSIS) and security firm McAfee, released last month, estimated global losses from cybercrime at just under US$1 trillion for 2020 – nearly double the losses estimated in 2018. Here in Hong Kong, the government estimates that financial losses from cybercrime reached more than HK$2.9 billion (US$374 million) in 2019. By far, the majority were business email scams – normally, emails from supposedly legitimate sources asking for bills to be settled. Ransomware back in 2019 was still relatively rare. More common were e-shopping frauds, and the sad and often tragic “romance scams”, which in 2019 led to almost 600 victims losing about HK$218 million – around HK$370,000 per victim. The Covid-19 lockdowns are reported to have added powerfully to cybercrime activity, as online shopping and remote working surged. The CSIS report says that China is the busiest source of hacking, with most of it focused on intellectual property theft, while the Russians were second, and mostly focused on espionage and intelligence. Perhaps inevitably, it does not report numbers on America’s own efforts to hack, even though it is evident that the only way the US learns about much hacking activity is by means of its own extensive and highly sophisticated hacking efforts. Recall that without Julian Assange’s WikiLeaks, we would never have learned that US intelligence had hacked Huawei Technologies Co and installed software “back doors” in Huawei hardware. Citizen security must be considered when discussing state cyber activity What are my lessons from all this? First, and obviously, cybercrime in its many forms is set to become increasingly pervasive as so much more of our lives is conducted across the internet and our data becomes increasingly valuable. Most of us – particularly the old – will remain hopelessly vulnerable, out of basic ignorance of the way the cyberworld works. From my own malware attack, the lessons are more basic. First, the attack came as I was moving office to my home. Small servers outside cyber-strict office networks are child’s play for any hacker. Second, your IT support may not be as expert as you expect, whatever a contract says. Third, when your server gets attacked, you learn quickly that it is a mistake to store your backup on the server. Storing regularly on a separate hard drive should be essential. Yes, your smart home devices are listening to you Fourth, scan for viruses obsessively, and disconnect your system to airplane mode every time you sign out. Fifth, get serious about passwords, no matter how irritating they are. Six, be constantly alert to stray or unexpected emails. Finally, do not trust anyone – even your IT vendors. So far, I have been lucky. I do not have much that anyone wants to steal. But the rummaging intrusion into my privacy remains infuriating. Losing two punnets of Häagen-Dazs may not be much, but the fact that they ate the ice-cream, probably sitting on my sofa with their feet up, watching my TV, still makes me shudder. David Dodwell researches and writes about global, regional and Hong Kong challenges from a Hong Kong point of view