Hong Kong companies and residents lost more than HK$2 billion (US$256.4 million) to cybercriminals in the first nine months of this year, while businesses sustained more than 9,000 cyberattacks as hackers increasingly targeted the city – ranked in the top five global destinations for such activity in a recent digital security report.
The year’s financial losses, about HK$2.26 billion by September, were a 565 per cent increase from 2012, according to police data.
The 9,122 security breaches and cyberattacks businesses reported so far this year to the information security watchdog Hong Kong Computer Emergency Response Team (HKCERT) were also a significant increase, rising 55 per cent compared with the first 10 months of 2017.
But the actual volume of attacks is much higher. Hong Kong’s computers and mobile devices were hit by around a million cyberattacks on one digital security network alone over a period of three months from April to June this year.
That pushed the city into a top five spot for cyberattacks, according to LexisNexis Risk Solutions, which publishes the ThreatMetrix global cybercrime report. Four of the top five sources of cyberattacks globally, the United States, Britain, China and Canada, all had Hong Kong among their top targets in the second quarter this year. Other attack destinations included the United States, Canada, Britain and Australia.
The figures indicate that this year’s high-profile cybercrimes like the theft of customer data from Cathay Pacific Airways and Hong Kong Broadband Network are not isolated incidents. A clear trend shows Hong Kong companies and individuals are both vulnerable and increasingly targeted by cybercriminals.
Marriott says Starwood database hacked – 500 million guests at risk
“Financially motivated cyberattacks have been proliferating,” said Wilson Wong Ka-wai, general manager of the information technology division at the Hong Kong Productivity Council (HKPC) and who oversees HKCERT.
He said it was time businesses put more effort into protecting their systems and public websites.
Cybercriminals attack businesses by forcing entry into their networks, often using phishing emails, where employees are encouraged to click on a file that infects the network. With this access, attackers have a host of options for exploiting the company.
“They will go and infiltrate important information that is in high demand in the market, that can be customer information, like credit card, personal address,” said Kok Tin Gan, a cybersecurity and privacy partner at PricewaterhouseCoopers China, who helps clients prevent and respond to attacks.
He said stolen customer identity information could then be sold to other criminals via the “dark web”, putting the victims at risk of being targeted for further financial crime.
“Or [hackers] will go into the financial department and see how the company transfers money, like wires to the bank or to a vendor, and they will intercept the message and hopefully benefit in a monetary way,” Gan said.
A typical final step, after all worthwhile data has been taken, is to use ransomware to encrypt a company’s important files so they cannot be accessed. Hackers demand payment in exchange for unlocking the files.
Credit agency TransUnion forced to halt online services over security flaw
Rebuilding the data if there is no backup can cost millions or even tens of millions of Hong Kong dollars, depending on the size of the business. “That doesn’t include opportunity cost lost,” Gan said.
While experts agree the number of cyberattacks on companies is growing, few specific details are publicly known. Hong Kong has no regulations requiring companies to disclose breaches. Attacks are reported to HKCERT voluntarily.
Despite the high stakes, Hong Kong companies are not doing enough to protect against these threats, according to a survey of 350 companies from six industry sectors published in April by the HKPC and Hong Kong-based cybersecurity firm SSH Communications Security.
Even small and medium enterprises need to find “smarter ways” to invest in cybersecurity. Those could include outsourcing protection to expert firms. Investing in security awareness training for employees is “unavoidable” in today’s climate, Wong of HKPC said.
The impact of cyberattacks on companies is not limited to business.
Breached company data could make residents more susceptible to crime. Hackers will use leaked information such as account passwords or addresses to personalise blackmail emails, claiming to have records of embarrassing online activity, or to con individuals into giving up login credentials for financial accounts.
These individualised attacks, along with social media scams, where hackers impersonate friends or lure people into fake relationships and then ask for money, are among the case that have cost Hongkongers more than HK$2 billion this year. In one such case, a Wan Chai woman was fleeced out of HK$180 million over four years.
E-banking fraud is another common tech crime affecting residents.
The Hong Kong Monetary Authority issued warnings about 54 cases of phishing emails, circulated to an unknown number of consumers from January through October this year, and 56 cases of fraudulent bank websites set up as copycats to steal login credentials. That was up from only seven warnings about phishing emails for the whole of 2017 and 34 cases of fraudulent bank websites.
But as more personal information is available online both through credible listings as well as data breaches, identity theft attacks can also be automated by armies of bots, which incessantly try and use available credentials to enter accounts or create new ones, experts said.
Hong Kong is a very large financial and trading hub, there’s business and money flowing between countries, so fraudsters are very keen to tap into this
Alisdair Faulkner, chief identity officer of LexisNexis Risk Solutions
“Most people would be surprised by how often and how regularly stolen or synthetic identities are used on a daily basis to try and get access to your online accounts or to create accounts in your name or transact in your name,” said Alisdair Faulkner, chief identity officer of LexisNexis Risk Solutions.
Faulkner said it was not surprising that Hong Kong had leapt into a top five target spot.
“Hong Kong is a very large financial and trading hub, there’s business and money flowing between countries, so fraudsters are very keen to tap into this,” he said.
The city’s comparatively lax regulations and the low level of investment in cyberprotection by companies also made it a prime global target, experts said.
Ricky Ho, regional vice-president of SSH Communications Security, said that among the four major financial hubs of New York, London, Frankfurt and Hong Kong, the city was “probably the least regulated”.
In the Asia-Pacific region, Hong Kong falls behind Singapore in terms of government and monetary authority regulation of data security, he said. Government regulation can get companies to invest more on cybersecurity.
Without an increase in this spending, Hong Kong remained an “easy target” compared to other major financial hubs, according to Ho.
Gan of PwC said Hong Kong businesses were “very backward” in their awareness of cybersecurity.
Hong Kong woman loses HK$10 million in ‘black money’ scam
He pointed to the absence of a legal requirement to report data breaches in Hong Kong’s Personal Data (Privacy) Ordinance as one reason businesses and individuals were less prepared for attacks and more easily targeted.
The more companies share about attacks, “the more the market and the public will realise, ‘Oh it’s happening and we should be more careful’”, he said.