Hong Kong Consumer Council ransomware attack

On 20 September 2023, the Hong Kong Consumer Council — the statutory watchdog that publishes the influential CHOICE magazine and protects consumer interests across the territory — was hit by a ransomware attack that damaged roughly 80% of its computer systems and triggered a suspected data breach.

What happened

The attack unfolded over a roughly seven-hour window, during which the Council's systems were encrypted and an abnormal data transfer of about 65GB was detected leaving the network. Hotline services and the Council's price-comparison tools were disrupted. The attackers then issued a ransom demand of US$500,000, threatening to raise it to US$700,000 if a deadline passed.

The Council refused to pay, stating it "will not succumb to ransomware extortion." Instead it reported the incident to police on 21 September, notified the Office of the Privacy Commissioner for Personal Data, and appointed a forensic expert to investigate.

What was at risk

The Council warned that the suspected breach could affect several categories of people:

Current and former staff, their family members, and job applicants — with data including Hong Kong ID-card numbers, addresses, and dates of birth.
CHOICE magazine subscribers, including about 8,000 subscribers who had provided credit-card details to the Council.
Complaint case data (largely unaffected) and work-partner contact information such as company addresses, phone numbers, and emails.

As a precaution, the Council sent out roughly 25,000 data-breach notifications to staff, subscribers, and business contacts, and advised affected individuals to reset passwords, enable multi-factor authentication, and monitor their credit-card accounts.

Impact and response

While the Council emphasised it could not confirm the full scope of any personal-data theft, the 80% system damage made this one of the most disruptive attacks on a Hong Kong public body. Recovery required rebuilding much of the Council's infrastructure, and the watchdog used the episode to publicly reinforce a no-ransom stance backed by law-enforcement cooperation.

Why it matters

The Consumer Council attack exemplified the double-extortion ransomware model — encrypt to disrupt, exfiltrate to coerce — now standard against public-sector and not-for-profit targets that hold valuable personal data but often run leaner security operations. Its refusal to pay aligned with guidance from law-enforcement agencies worldwide, who warn that payment funds further crime and guarantees nothing. For Hong Kong, it reinforced the need for resilient backups, network segmentation, and rehearsed incident response even at institutions outside the traditional finance and telecom risk tiers.

Timeline

September 20, 2023

Ransomware strikes the Consumer Council's systems, damaging roughly 80% of its computer infrastructure during a seven-hour window.

September 20, 2023

An abnormal data transfer of about 65GB is observed; attackers demand US$500,000, rising to US$700,000 after a deadline.

September 21, 2023

The Council reports the incident to police and notifies the Office of the Privacy Commissioner for Personal Data.

September 22, 2023

The Council publicly discloses the attack, warns of a suspected data breach, and appoints a forensic expert.

September 22, 2023

The Council declares it will not pay the ransom and begins notifying around 25,000 affected contacts and subscribers.

Sources

consumer.org.hkhttps://www.consumer.org.hk/en/press-release/p-systemhacked

hongkongfp.comhttps://hongkongfp.com/2023/09/22/hong-kong-consumer-council-falls-victim-to-ransom-hackers-warns-of-suspected-data-breach/

scmp.comhttps://www.scmp.com/news/hong-kong/law-and-crime/article/3235438/head-hong-kong-consumer-watchdog-apologises-potential-data-leak-affecting-over-8000-people-us500000

bankinfosecurity.asiahttps://www.bankinfosecurity.asia/hong-kong-consumer-watchdog-suffers-major-ransomware-attack-a-23140

Related incidents

RansomwareContainedDecember 8, 2023

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim: Westpole / PA Digitale (Urbi platform)

RansomwareContainedOctober 28, 2023

British Library Rhysida ransomware (2023)

Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.

Victim: British Library
Loss: $8.5M

RansomwareResolvedSeptember 12, 2023

IFX Networks supply-chain ransomware attack

A ransomware attack on regional cloud provider IFX Networks cascaded into more than 50 Colombian state and private entities — including the Ministry of Health, the Judiciary, and the Superintendency of Industry and Commerce — and affected 762 organisations across Latin America.

Victim: IFX Networks (Colombian government clients)

RansomwareResolvedSeptember 11, 2023

Lanka Government Cloud ransomware attack

A ransomware attack on Sri Lanka's Lanka Government Cloud encrypted around 5,000 gov.lk email accounts — including the Cabinet Office — and, because backups were also encrypted, permanently destroyed roughly three months of government email.

Victim: Lanka Government Cloud (ICTA Sri Lanka)