How hackers demanding seven-figure bitcoin ransom stole 20,000 sets of credit card details
Hong Kong-listed travel agency apologises for breach, and says it refused to pay the ransom
A major Hong Kong travel agency apologised on Wednesday after hackers stole personal information on 200,000 of its customers, including 20,000 sets of credit card details.
Hong Kong-listed Worldwide Package Travel Service, founded in 1979, said it could not estimate the losses or how long it would take for the issue to be resolved, adding that it rejected the attackers’ seven-figure ransom demands.
Its chief executive said customers who paid for trips would still be able to continue with their journeys, and people who wanted to buy holidays with them still could – albeit using technology from “30 or 40 years ago”.
More than two days after its database was compromised, the firm’s executives came out on Wednesday to give an account of the incident. Chief executive Yuen Chun-ning, chief financial officer Queenie Hon and IT manager Edmond Lai bowed in front of the cameras before apologising to affected customers.
China’s central bank is developing its own digital currency, even as it bans bitcoin and private cryptos
Yuen said hackers told the company on Monday morning that the system had been breached.
The database, which handles company operations from reservations to payment, held the personal information of about 200,000 customers.
Yuen said about 10 per cent of the customers – 20,000 people – had their credit card details stolen. The hackers also took people’s phone numbers, passport information and Hong Kong identity card numbers, and addresses.
A police source said it seemed the hackers broke into the computer of the agency’s head of IT and then broke into the company server.
“Through the server, hackers changed the passwords of users and made [their accounts] inaccessible,” the source said.
The hackers left an email for bosses to communicate with them. According to Yuen, the hackers demanded a seven-figure ransom, to be paid in bitcoin. Yuen did not say what they offered to do in return for the ransom, but in similar cases, hackers will usually offer to unlock the data upon receipt.
It was understood that Yuen bargained with the hackers over email. The company had backup files of the data stored in the computers.
Watch: What’s in a hacker’s arsenal?
“After deliberations with our board of directors, we decided not to pay the ransom,” Yuen said.
“Not only do we not trust hackers, we believe this kind of behaviour should not be encouraged.”
Yuen said the company regularly upgrades its system security, which was inspected by a third-party contractor earlier this year.
He refused to disclose the identity of the hackers or the method they used, citing an ongoing police investigation. He said only that it was an “unusual” method, not commonly heard of.
Affected customers would be notified as soon as possible, he pledged, but he said the company had not heard of any financial loss as of Wednesday.
By Wednesday, the company website was still suspended, but its four branches had reopened their doors after shutting for the whole of Tuesday.
“We still accept customers who wish to sign up for tours, but this will take some time. Imagine how things were done over the phone 30 or 40 years ago,” Yuen said. The company specialises in package trips to Japan.
Two cybersecurity firms were working with police to find the attackers and fix the damage they did to the database. If that fails, customer information will have to be inserted manually from paper records, Yuen admitted.
Additional reporting by Clifford Lo
