Hongkong Post has said that a cyberattack on its online shipping portal may have exposed the personal data of senders and recipients.
In a statement issued late on Monday evening, the city’s postal service said that it had identified the incident involving its EC-Ship account holders.
“Based on preliminary assessment, the incident could involve the information on the address books of EC-Ship account holders, including senders’ and recipients’ names, addresses, phone numbers, fax numbers and email addresses,” the statement said.
The EC-Ship service allows customers to prepare shipping labels and pay estimated postage online.
Hongkong Post said it took “immediate measures” to block the breached access and reported the case to the police, the Digital Policy Office (DPO), the Office of the Privacy Commissioner for Personal Data (PCPD), and the Security Bureau on Monday.
“Investigation is still underway to ascertain the number of account holders affected and whether any personal data leakage is involved,” the statement also said. “Hongkong Post will inform affected account holders as soon as possible when further updates are available.”
A total of 7,249 registered customer email addresses were exposed when Hongkong Post experienced a data security breach in 2023.
The PCPD, Hong Kong’s privacy watchdog, said in November that 70 per cent of Hong Kong companies had experienced some form of cyberattack in the past year.
In March, Hong Kong lawmakers passed a law meant to enhance safeguards for the city’s key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses.
The law, however, excludes government departments, including Hongkong Post.
The Fire Services Department, the Registration & Electoral Office, the Electrical and Mechanical Services Department, Cyberport, the Consumer Council and the Companies Registry are among the governmental and statutory bodies that have recently suffered data leaks.
