Hackers obtain 7,200 email addresses from Hongkong Post but personal data safe, department says
- Unauthorised party made ‘countless attempts’ to guess registered email addresses of account holders and ‘by chance’ found 7,249, department says
- Hongkong Post says no indication of tampering with account holders’ personal information
Hongkong Post has reported a data breach involving about 7,200 email addresses of account holders subscribed to its electronic service function.
The city’s privacy watchdog said it had launched a review of the incident after the postal service reported the case on Friday.
Hongkong Post said it had identified a data security issue involving 7,249 email addresses registered with its electronic service function.
But it stressed the hacker was unable to obtain the account holders’ personal information such as login names, passwords or transaction records held by the postal service.
“The incident involved an unauthorised party making countless attempts, through Hongkong Post’s electronic service function, to test and try to guess the registered email addresses of Hongkong Post’s account holders, and eventually by chance located 7,249 email addresses which were registered with Hongkong Post,” a spokesman said.
“Hongkong Post did not find any indication that there was any leakage of or tampering with the account holders’ personal information or any suspicious activities of the accounts concerned.”
The Office of the Privacy Commissioner for Personal Data said it had received a notification of the data breach.
“The office has launched a compliance review of the incident in accordance with established procedures and has also recommended that the relevant organisation should notify affected persons as soon as possible,” it said.
The incident came to light in the afternoon when a travel blogger claiming to have received a tip-off questioned why the postal service had only informed the affected account holders individually and did not make a public statement.
Hongkong Post said it reported the case to police and sought advice from the privacy watchdog on Wednesday, but did not formally make a report to the office until Friday. It had also informed the Government Information Security Incident Response Office, “according to the established government procedures”.
It was seeking advice from the office about how to enhance security measures.
“Hongkong Post will continue to closely monitor the situation,” a spokesman added.
The privacy watchdog suggested anyone concerned that have been the victims of a hack to change their email address and password for their online account and enable multi-factor authentication whenever it was available.
The postal service warned the public against clicking on any embedded links or providing any personal or financial information to any suspicious emails or SMS messages allegedly sent by Hongkong Post.
The spokesman said the postal service would not embed hyperlinks via emails, SMS messages or social media pages to collect personal information or request payment.
A number of prominent organisations or groups have been hacked in recent weeks, including Hong Kong Ballet, the Consumer Council and the city’s showcase IT park Cyberport.
