The business park has 140 employees and is a base for 1,900 start-ups and tech companies.

Police said they had passed the case to their cybersecurity and technology crime bureau for investigation, and that no arrests had been made so far.

Without naming a possible culprit, Cyberport on Wednesday issued a statement condemning an attack by an unauthorised third party which had infiltrated part of its computer system. It also said it had taken swift action after discovering the intrusion.

The Office of the Privacy Commissioner for Personal Data on Thursday said it had received a data breach notification from Cyberport on August 18 and commenced a compliance check into the incident.

The office “advised the relevant organisation to notify the affected data subjects as soon as possible”, a spokeswoman said.

Cyberport said it discovered in mid-August that some computer files had been locked and that it was suspected an unauthorised third party had invaded its computer system.

It added that no evidence indicated that any personal data was used improperly at the time, but declined to answer why it did not immediately reveal the breach after discovering it last month.

The incident was first disclosed on Tuesday by cybersecurity information platform FalconFeedsio, which said on social media that ransomware group Trigona had added Cyberport to its victim list.

According to Palo Alto-based cyber-risk consultancy Unit 42, Trigona ransomware is relatively new and was first discovered by security researchers in late October 2022, with affected organisations involved in manufacturing, finance, construction, agriculture, marketing and hi-tech industries.

The ransomware group said it had gained access to more than 400GB of Cyberport organisational data, according to the social media post. The hacker also offered to sell the information for US$300,000.

China fines its top research database owner for illegal data handling

Cyberport said it had shut down the affected computer equipment and conducted a thorough investigation with the help of independent and external cybersecurity experts.

It said it had reported the case to police, the Office of the Privacy Commissioner for Personal Data and relevant departments, adding that it would fully cooperate in the investigations.

But the business park did not confirm the scale of the data breach.

Lai said the data included the personal information of Cyberport executives, such as soft copies of ID cards, CVs, bank account details and marriage certificates.

A deadline of Monday was set on the dark web before the information would be made publicly available.

Lai said Cyberport could have fallen victim to the attack in three ways – phishing emails, loopholes in its database and remote desktop access.

Cyberattack at Hong Kong healthcare group may have exposed 100,000 patients’ data

He said the attack could have been achieved through a virus that, once downloaded, would steal passwords on the system, explore shared files and encrypt them.

“It can only be done when the cybersecurity control is very loose and feeble,” he said. “I reckon Cyberport has not done its IT and cybersecurity auditing as it should be done.

“If Cyberport decides not to pay the ransom, then it should download all the leaked data when it is exposed and compensate the victims and affected parties.”

Cyberport said it would strengthen its systems, notify affected parties and provide all necessary help, as well as set up a dedicated email to handle inquiries over the incident.

The government-funded hub provides capital, office space and access to technology to help local start-ups in their early stages.