Hong Kong police unlock WWPKG travel agency customer data held ransom by hackers

Police have managed to unlock the personal data for about 200,000 customers of a major Hong Kong travel agency after the information was held ransom by hackers for three days.

In a statement on Thursday, Hong Kong-listed Worldwide Package Travel Service, or WWPKG, said police had helped them decrypt the database, which had been encrypted by hackers since Monday morning.

The culprits had asked for a seven-figure ransom, to be paid in bitcoin, but the firm did not capitulate and called police instead.

“A preliminary police investigation showed no signs suggesting that the customer data had been sold,” the statement read.

Hack attack on popular Hong Kong travel agent WWPKG puts customer data at risk

A police spokesman confirmed the data had been decrypted, without providing details.

This came a day after the agency’s chief executive, Yuen Chun-ning, said 20,000 people – about 10 per cent of the affected customers – had had their credit card details leaked during the hackers’ unauthorised entry to the database, which handles company operations from reservations to payment.

Yuen said the hackers also stole phone numbers, passport information, Hong Kong identity card numbers and addresses.

The rise of ransomware: how data extortion became the biggest thing in cybercrime

A police source said the data had been locked by BitLocker, a tool built into Microsoft Windows that allows encryption. Officers had to analyse a large amount of data for traces left by the hackers before being able to decrypt the information.

The company said in its statement that customers who had used their credit cards for bookings on its website should monitor their accounts. They should also change the relevant passwords.

Due to the hacking incident, all four of the agency’s branches – in Tsim Sha Tsui, Mong Kok, Causeway Bay and Sha Tin – were closed on Tuesday and reopened the next day. Its website remained unavailable as of 8am on Friday.