- Police investigating after eight schools are hacked, three of which report data leaks
- Pupil addresses among information stored on administration system targeted by hackers
Hackers have broken into a government system used by most of Hong Kong's schools, raising fears for the personal data of pupils, parents and staff.
Eight schools operating a web-based administrative network that stores highly sensitive information were breached, with three of them reporting data leaks, the Education Bureau said on Friday night. Police are investigating.
A bureau spokesman said it had sent specialist personnel into schools to examine IT systems, provide support and strengthen security. But it did not release details of what data might have been stolen during the cyberattack, or which schools had been targeted.
It urged those affected to report the incidents to Hong Kong police and the Office of the Privacy Commissioner for Personal Data.
WebSAMS, or web-based school administrative and management systems, is an application developed by the bureau to provide all public sector and direct subsidy scheme schools with networked computers to support schools' administration and management operations.
The programme allows each school to handle large amounts of data, including the personal details of students, parents and teachers. It also holds examination results, salaries and schools' financial records.
The bureau's disclosure of the attack came after media reports that La Salle Primary School in Kowloon City fell victim to the breach on Thursday night.
Principal Chandni Rakesh said in a letter to students, parents and staff on Thursday that it was informed by the bureau that the system had been maliciously hacked, and their data on the WebSAMS' server illegally retrieved.
"The school does not tolerate unauthorised access to our stakeholders' information and will cooperate fully with law enforcement," said Rakesh, who added use of the system was suspended.
Travel agencies apologise as hackers hold customer data for ransom
Information which could have been downloaded include the addresses, date of birth, contact details, parents' names, birth certificates and academic results of pupils.
Staff information, financial reports and school places allocations could also be among the loss. The case has been reported to police and the privacy commissioner.
She reminded people to remain vigilant about the possibility of personal data being used by criminals.
Louis Li, the father of a Primary Two boy at the school, said he felt worried and helpless, adding: "I'll be ready for the worst. I don't quite know what to do. People can do a lot of things with all those data."
HKUST student arrested for allegedly hacking account to get exam questions
The IT worker, also an alumnus, said he did not know much about WebSAMS but speculated uninterrupted connections to the internet could have left the door open to hackers.
He said connections to the internet and the Education Bureau should be turned off when a school was not communicating with the department
And he said the bureau should reveal which schools were affected as soon as possible so that affected parties could respond quickly.
Education sector lawmaker Ip Kin-yuen said the situation could be even more serious than feared because it was not known how the breach happened and whether hackers would target more schools.
Police and city scramble as cyberattacks strike Hong Kong organisations
The government must scrutinise the system, fix security loopholes and inform all victims so they could take action to protect themselves, he said.
A police spokesman said Kowloon City Police Station had received a report on Thursday from a school in the district about suspected hacking.
It is being investigated as a case of access to a computer with criminal or dishonest intent under section 161 of Crimes Ordinance. No arrests have been made.
The bureau said it had released an update for the system and urged schools to install it to strengthen security.
Copyright (c) 2019. South China Morning Post Publishers Ltd. All rights reserved.