By Arthur Chan

Hong Kong, 2 September 2024: The scale of the cybersecurity threat to Hong Kong has been illustrated by a string of media stories in recent months. Everyone is at risk, from ill-prepared corporations to unsuspecting individuals, as rogue online operators use increasingly sophisticated methods to persuade people to part with their money.

Last month, it was revealed that nearly half of about 30,000 websites in our city are not safe against cyberattacks. The Hong Kong Internet Registration Corporation said it had regularly examined websites over the past five years and found 44% of them used unsafe hyperlinks to third-party services, leaving users exposed to security risks.

This non-profit-making and non-statutory corporation, designated by the government to administer the registration of internet domain names in Hong Kong, also found 32% of websites disclosed server information, making it easier for online criminals to trigger attacks. Further, 26% had improper cookie configurations, which hackers could utilise to induce users to install malware.

Meanwhile, police are handling an increasing number of technology crimes. The force has revealed 16,182 such cases were logged in the first six months of this year, an increase of 3.5% on the same period last year. The losses in these cases amounted to HK$2.66 billion.

Police investigated 26 cases involving ransomware – a type of malware that holds data hostage in return for money – from January to June this year, compared with just seven ransomware cases in the first six months of 2023. Among the latest incidents, the highest ransom demanded was HK$78 million.

In July, Oxfam’s Hong Kong office confirmed it had experienced a cyberattack. The NGO immediately launched an investigation and engaged experts to examine the affected systems to assess the impact of the attack. It also reported the incident to the police, the Office of the Privacy Commissioner for Personal Data (PCPD), and the Hong Kong Computer Emergency Response Coordination Centre.

Separately, the city’s sole distributor of BMW vehicles revealed that around 14,000 customer records had been affected by a “cybersecurity incident”. BMW Concessionaires said it had notified the PCPD and had engaged an external cybersecurity expert to investigate. It was the latest in a string of data breaches from major public bodies, government departments, schools, hospitals and corporations.

With cybercrime on the rise, it is worth noting recent measures taken by the authorities:

Enhanced anti-fraud alerts: Some 32 banks and 10 stored-value-facility operators now send a warning when users make payments to suspicious accounts, either in-person at bank counters or online. The service – a joint initiative by the Hong Kong Monetary Authority, the police and the Hong Kong Association of Banks – will be extended to ATMs later this year. The expansion means around 84% of bank transfers will be protected in such fashion.

Cybersecurity legislation: The government is seeking to regulate the protection of computer systems in sectors which are essential to the smooth running of the city, such as financial institutions, healthcare systems, telecoms services, power supplies and transport networks. Under the Protection of Critical Infrastructure (Computer System) Bill, which is due to be brought before the Legislative Council by the end of this year, operators of such systems will be required to ensure their integrity and reliability, while a new Commissioner’s Office will oversee the regime and ensure implementation.

Digital Policy Office (DPO): An initiative unveiled by city leader John Lee in his 2023 policy address, the DPO opened last month under the Innovation, Technology and Industry Bureau. While it will spearhead the development of digital government and promote the application of advanced IT throughout the administration, it will also play a key role in strengthening digital infrastructure and security.

Amid these laudable efforts, law enforcement bodies stress that artificial intelligence (AI) is making their task significantly more difficult as scammers employ it to devastating effect. AI has enabled deepfake technology to reach astonishing levels of sophistication, with cybercriminals now able to manipulate sounds, images and videos to deceive individuals and organisations.

In a widely-reported incident earlier this year, a finance worker in the Hong Kong office of a global firm was duped into transferring HK$200 million to scammers after attending a video call with people he believed were his firm’s CFO and other colleagues but who turned out to be deepfake re-creations.

While law enforcement bodies in Hong Kong strive to combat cybercrime through more intelligence-driven operations, fostering international co-operation and stepping up education, the onus is also on the public to be more vigilant. The basics include never divulging personal information, keeping passwords confidential, reporting suspicious activity, being cautious of emails from unfamiliar senders and exercising due diligence.

Likewise, firms of all sizes, organisations and public bodies are strongly advised to review their existing cybersecurity arrangements, implement encryption tools to protect sensitive data and communications, and stay informed about the latest cybersecurity threats and best practices.

Anyone who falls victim to deception should report it immediately to the police and any other relevant authority. There are ways to recover lost funds through legal action, but it is crucial to act swiftly and seek professional advice to maximise the chances of successful restitution.

Arthur Chan is a Partner with BC&C. He specialises in Criminal Litigation and cyber fraud recovery claim and also develops a broad range of civil and commercial litigation such as immigration, personal injuries and employment issues. He has successfully dealt with cases involving account freezing and recovery, in one notable instance retrieving more than US$1 million that was stolen in an email scam. He can be contacted at Arthur@boasecohencollins.com.