Hong Kong’s Digital Policy Office has requested that government departments using Oracle Cloud services conduct an “urgent” precautionary review, amid reports of a data breach, HKFP has learned.
The office, which oversees IT policy and digital security for the government, told HKFP on March 31 that it had noted reports of a possible data leak involving login credentials and ransom demands.
Last month, a hacker – using the moniker “rose87168” – said they had obtained six million data records linked to Oracle Cloud customers, according to TechCrunch.
The hacker initially sought US$20 million from the cloud computing firm, later offering to sell the data openly. On X, they listed affected URLs, including several Hong Kong government domains such as the Digital Policy Office itself, the police, customs, immigration, the judiciary, and the Security Bureau.
Government and statutory bodies allegedly affected – click to view.
bd.gov.hk
cedd.gov.hk
cr.gov.hk
createhk.gov.hk
csc.gov.hk
csd.gov.hk
customs.gov.hk
dh.gov.hk
doj.gov.hk
fehd.gov.hk
fstb.gov.hk
gpa.gov.hk
hkma.gov.hk
hkpo.gov.hk
housingauthority.gov.hk
hyd.gov.hk
immd.gov.hk
ird.gov.hk
judiciary.gov.hk
landreg.gov.hk
landsd.gov.hk
ogcio.gov.hk
police.gov.hk
rvd.gov.hk
sb.gov.hk
td.gov.hk
wfsfaa.gov.hk
wsd.gov.hk
“Although it has been reported that Oracle has denied the leakage, as a precautionary measure, the Digital Policy Office (DPO) has immediately shared the information with the relevant government departments and requested for an urgent review if they have used the concerned online services and in particular to change all concerned system passwords,” a spokesperson for the office told HKFP.
They said that “government sensitive data should not be stored in the public cloud,” and added that they had not received any reports of a security incident linked to Oracle.
Oracle privately admitted breach – Bloomberg
Initially, the tech firm publicly denied that a breach had taken place, prompting criticism from cybersecurity experts.
However, last Thursday, Bloomberg cited two sources as reporting that Oracle had privately acknowledged to clients in March that a breach of a “legacy environment” had occurred. Usernames, passkeys and encrypted passwords were reportedly stolen, and an extortion amount was demanded.
The FBI and cybersecurity firm CrowdStrike Holdings Inc. are reportedly investigating, though neither confirmed the matter to Bloomberg.
Oracle has not responded to HKFP’s enquiries.
To prove they had access, “rose87168” uploaded a text file with their online handle to an Oracle Cloud server. The server was since removed, but the message is still viewable using the Internet Archive’s Wayback Machine. Oracle customers have also said they had seen convincing evidence of the breach.
The web domain of the Hong Kong Monetary Authority (HKMA) was also listed by the hacker as affected, but the central bank told HKFP it was not an Oracle customer.
“The HKMA has not been a user of the service mentioned. In any case, we do not observe any security breach or data leakage,” a spokesperson said in a statement last Monday.
Oracle is facing legal action in the US over a separate data breach in January involving healthcare data.
In March, Hong Kong lawmakers passed a cybersecurity bill to enhance safeguards for the city’s key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses. Government and statutory bodies are exempt.
The Office of the Privacy Commissioner for Personal Data (PCPD) told HKFP on Tuesday that it had not received any data breach notifications relating to the alleged incident. “The PCPD will monitor the development of the matter, including the veracity of the alleged incident and whether any individuals in Hong Kong are affected,” it said.
The privacy watchdog said in November that 70 per cent of Hong Kong companies had experienced some form of cyberattack in the past year.
