Two Hong Kong travel agencies apologise as hackers demand payment for stolen customer data

The computers at two Hong Kong travel agencies were hacked this week, as perpetrators held sensitive personal information ransom with one seeking a payout in bitcoin.

The latest incidents involve the second and third travel agencies admitting falling victims to this style of cyberattack in as many months.

On Wednesday, police received reports from the two agencies. Officers have categorised the cases as blackmail.

A police insider said the hacking tactics of both cases were similar and that the Cyber Security and Technology Crime Bureau was investigating if they were linked.

Goldjoy, which has three branches, revealed on Thursday that unauthorised parties accessed its customer database containing personal information such as names and ID card numbers, passport details and phone numbers.

The company apologised to customers and said it was taking steps to tighten cybersecurity.

Be vigilant, hackers never take a holiday

Meanwhile, Big Line Holiday revealed on Wednesday night that hackers might have broken into its database a day before and gained possession of some of its customers’ personal information.

The data is believed to include ID card numbers, home return permit numbers and phone numbers.

In its statement, Big Line said: “Our company attaches great importance to this incident and deeply apologises to the affected clients.”

Big Line, which has 13 branches and organises tours to mainland China and Asia, said it received a letter from perpetrators demanding a sum of money for the release of the information.

A police source familiar with the matter said a ransom of 1 bitcoin, worth HK$114,000 (US$14,500), was demanded by the hackers.

The source added that police were no closer to knowing the exact kind of customer data affected because it was locked by the perpetrators. The breach did not mean hackers had stolen the data outright.

On Thursday a police spokeswoman said officers received reports from two companies in relation to cyberattacks – without naming them.

On the same day, Undersecretary for Commerce and Economic Development Dr Bernard Chan Pak-li visited Goldjoy’s Admiralty branch following the incident.

Referring to the wider implications of such threats to the industry, Chan said HK$10 million worth of funding was still available for small to medium sized travel agencies to shore up their IT defences.

Separately, Big Line added it had taken immediate countermeasures and reported the case to police and the city’s privacy watchdog.

“[Our] network security is now being strengthened. External technical assistance has also been hired to ensure that vulnerabilities in the system are fixed.”

How your smart home is vulnerable to hackers, and what you can do to protect yourself

A spokesman for the Office of the Privacy Commissioner said the watchdog was concerned about the incident, particularly since it might involve a large amount of sensitive personal data. The office said it was conducting a compliance check on Big Line.

Under the Personal Data (Privacy) Ordinance, a user must take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use, the office said.

“Travel agents, as data users, should take all reasonably practicable security measures to protect customers’ personal data,” Privacy Commissioner Stephen Wong Kai-yi said, expressing concern over a “rising trend”.

“Due to ever-changing technology, causes of cybersecurity incidents have become diversified, making tracing the incidents more challenging.”

In November, one of Hong Kong’s largest travel agencies, WWPKG Holdings, revealed that its customer database had also been hacked, putting at risk personal data such as ID card numbers and credit card information of some 200,000 customers.

The culprits had asked for a seven-figure ransom, to be paid in bitcoin, but the firm did not pay and instead called the police, who later managed to decrypt the data.

Simple coding mistake exposes 180 million phones to hackers, security firm says

Francis Fong Po-kiu, president of the Hong Kong Information Technology Federation, said small and medium-sized firms tended to have lower cybersecurity awareness and preparedness.

Firms in industries that collect large amounts of up-to-date customer data – such as travel agencies – were vulnerable targets, he said.

Additional reporting by Danny Lee and Christy Leung