Information pertaining to at least 7,000 students and 400 academic visitors to the University of Hong Kong’s faculty of education and their study status could have been leaked as its computer servers were hacked in a cyberattack on January 30.
The cyberattack occurred on January 30.
”Upon discovering the incident, the faculty took immediate action to ensure the isolation of servers. An external cybersecurity consultant and the university’s information technology services promptly commenced a thorough investigation,” HKU said.
The faculty was able to inspect a log file on February 2 and subsequently identified that internal files may have been exfiltrated, including its room booking records, internal guidelines, system management files as well as meeting agenda papers and minutes dating back to 2012.
”The faculty’s preliminary evaluation is that the personal data in the files might include information on around 400 academic visitors, around 3,000 students’ study status and around 4,000 applicants of research degree programs,” the university said.
”At the moment, there is no evidence suggesting that salary information, bank account details, or HKID numbers of any individuals have been exfiltrated.”
The faculty also said it “condemns all forms of unlawful cyber activities” and has reported to the police and the Office of the Privacy Commissioner for Personal Data.
”The faculty is also working actively to review and mitigate the impact of the incident and strengthen its overall cybersecurity measures with advice from the university information technology services,” the university said.
The faculty is notifying students and alumni about the incident, and may issue further notifications upon reviews.
”The faculty expresses its sincere apologies for any inconvenience caused. They should remain vigilant against any abuse, misuse, malicious or unlawful use of personal data,” the university said.
In response, the Office of the Privacy Commissioner for Personal Data said the incident involved around 7,400 individuals.
As the incident involves a leakage of personal data, the office appeals to all affected individuals to direct their inquiries to or lodge a complaint with the office or organizations if they suspect their personal data has been misused.
It also called on affected individuals to be vigilant against unauthorized use of personal data and to take measures to protect personal data privacy, including changing passwords, paying attention to unusual login records and not opening attachments in SMS or emails.