Man, 30, held over hacking attacks on two Hong Kong travel agencies
Officers raid IT worker’s flat on Cheung Chau and also seize two desktop computers, two laptops, one tablet, three hard disks and five mobile phones
A 30-year-old Hong Kong man was arrested in connection with cyberattacks in which the computers of two travel agencies in the city were hacked and their clients’ sensitive personal information held for ransom, with payouts in bitcoin sought last week.
The two travel agencies reported the incidents to police on January 1 and 2.
One bitcoin (HK$123,735 or US$15,819) was demanded as a ransom in each hacking case, according to police.
Officers from the force’s Cyber Security and Technology Crime Bureau raided a flat in the outlying island of Cheung Chau and arrested the man on Saturday.
During the operation, police seized two desktop computers, two laptops, one tablet, three hard disks and five mobile phones in the flat.
At lunchtime on Monday, police escorted the suspect to his workplace on Hoi Yuen Road in the Kwun Tong district of Kowloon to gather evidence.
The Post understands the suspect, a computer technician, hacked into the computers of the agencies on New Year’s Day through security loopholes on their websites hours before the companies were hit with demands for a ransom to be paid in bitcoin.
“An email was sent to the persons in charge of the companies after the personal information of more than 20,000 customers was stolen from the computer servers of the agencies,” a police source said.
“The companies were told to pay in bitcoin in a newly opened account with threats that their customers’ data would be posted on the internet if the firms failed to pay on Saturday.”
The stolen information included customers’ names, identity card numbers and contact numbers but no credit card information was involved.
Officers from the Cyber Security and Technology Crime Bureau were understood to have worked around the clock and checked tens of thousands of log records to the servers to gather information.
“Investigations showed circuitous routes were used to hack into the computer servers, but officers eventually identified the suspect through his IP address,” another source said.
He said the man was nabbed at home on Cheung Chau hours before the payment deadline.
Officers would carry out a forensic examination of the victims’ computers and hard disks to gather information, he said.
At about 5pm on Monday, the suspect was still being held for questioning and had not been charged.
“We believe his motive was to look for money,” said bureau superintendent Swalikh Mohammed said.
Investigations were continuing and he did not rule out the possibility of further arrests.
“The cyber world is not a lawless place where criminals can hide. A majority of the laws applicable to the real world can also be applied to the internet,” he warned.
He said blackmail was a serious offence that carries a maximum penalty of 14 years in prison.
Travel agency Goldjoy Holidays revealed on Thursday that unauthorised parties accessed its customer database containing personal information such as names and identity card numbers, passport details and phone numbers.
The company apologised to customers and promised it was taking steps to tighten cybersecurity.
The other agency, Big Line Holiday, said on Wednesday night that hackers might have broken into its database a day earlier and gained possession of some of its customers’ personal information.
The data was believed to include ID card numbers, home return permit numbers and phone numbers.
In a statement, Big Line said: “Our company attaches great importance to this incident and deeply apologises to the affected clients.”
Big Line, which has 13 branches and organises tours to mainland China and Asia, said it received a letter from perpetrators demanding a sum of money for the release of the information.
In November, one of the city’s largest travel agencies, Hong Kong-listed WWPKG Holdings, revealed that its customer database had also been hacked, putting at risk personal data such as ID card numbers and credit card information of some 200,000 customers.
The culprits had asked for a seven-figure ransom, to be paid in bitcoin, but the firm did not pay and instead called the police, who later managed to decrypt the data. Because of the hacking incident, all four of the agency’s branches -in Tsim Sha Tsui, Mong Kok, Causeway Bay and Sha Tin – were closed for a day.
The force recorded 653 cases of cybercrimes in 2005, the first year it began tracking such offences, and saw the number reach 5,939 in 2016, with financial losses hitting HK$2.3 billion.