Jewellery firm probes possible hit by hacker
Records of 5 million customers may have been accessed in an attempt for ransom
A major Hong Kong-based jewellery chain is attempting to verify claims that a hacker accessed the records of 5 million customers and is seeking a ransom of more than HK$190,000 in cryptocurrency.
The alleged incident is the second to come to light in the past two days, after the city’s privacy watchdog launched an investigation into the leak of more than 8,000 students’ data at a private vocational college.
Luk Fook Holdings yesterday evening said it learned “on or about May 7” of a threatening post to an underground forum by the suspected hacker.
“The threat actor claimed to have access to the customer records of the group and invited bids for access to such records,” it said.
The business group said it was conducting an investigation with the help of a cybersecurity consultancy firm.
The post claimed that the forum user had the membership information of 5 million Lukfook Jewellery customers and planned to sell the data for 25,000 Tether coins, worth about HK$195,000.
According to its interim report for the 2023-24 financial year, Lukfook Jewellery has 66 shops in Hong Kong and Macau, as well as more than 3,200 outlets in mainland China.
The company said the investigation “involved, among others, an assessment of the validity and underlying cause of the [incident] and a comprehensive review of the security of the group’s systems and servers”.
“As of the date of this announcement, said investigation is still ongoing, and it is not certain whether there has been any leakage of customers’ records … and if so, the extent of the leak,” it said.
Luk Fook Holdings said the incident had been reported to police and the Office of the Privacy Commissioner for Personal Data, with authorities to assist with the investigation.
“The group is committed to protecting its customers’ information and their privacy to defend against any such incident in the future by continuously strengthening its information system security measures,” it added.
The city’s privacy watchdog said it had received a notification from the company over the alleged incident.
The privacy commissioner’s office also said it earlier received a report of a data breach at the Hong Kong College of Technology on February 21, with a subsequent investigation showing about 8,100 students had been affected.
The leaked information includes students’ names, ID card numbers, email addresses, phone numbers and residential addresses.
The college also apologised for the data leak and said the incident had been reported to police and the privacy commissioner’s office.
Those affected by the data leak would receive free credit and dark web monitoring services for six months, the college added.