The charity first revealed the attack in a statement on its website on Saturday, but it was more widely reported on Friday when an email concerning the case was sent to potential victims.
Oxfam Hong Kong said it immediately launched an investigation and engaged independent cybersecurity experts to conduct an assessment of the affected systems to assess the impact of the attack and offer remedies.
“We are actively working with our cybersecurity experts to investigate whether the incident had resulted in any unauthorised disclosure of personal data that we hold, and the extent of any such disclosure,” the organisation said.
“We assure you that data security is our top priority and we are taking this very seriously. We remain committed to continuously strengthening our digital defence to safeguard our information and systems.”
Oxfam Hong Kong said in the email that the personal data it held included names, ID card numbers, addresses, email addresses and mobile phone numbers.
The charity might also hold payment information of people who had made donations or payments by credit card, it added.
Oxfam Hong Kong urged the public to stay vigilant regarding any unsolicited or suspicious communications, including phone calls, text messages and emails. It also asked people to stay alert to any suspicious activities, including any unusual logins or transaction records.
The charity said it had reported the cyberattack to police, the Office of the Privacy Commissioner for Personal Data and the Hong Kong Computer Emergency Response Coordination Centre.
Police said they received a report on July 19 about the cyberattack. The case has been categorised as “access to computer with dishonest intent” and a team under the force’s Eastern criminal investigation unit is following up on it. No arrests have been made.
The privacy commissioner’s office confirmed it received a data breach notification from Oxfam Hong Kong on July 13. It said while details of the data breach had not yet been ascertained, it had advised the organisation to promptly notify affected people.
The office said it had initiated a compliance check on the matter.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said cybersecurity measures of NGOs were usually weaker than some other organisations such as banks.
Fong, who is also a council member of Oxfam Hong Kong, said the cyberattack could be attributed to a few factors.
“The firewall might be not strong enough or not updated, or there might be some loopholes with the software systems,” he said. “It could also be a staff member who accidentally clicked on a phishing email.”
He said hackers could target NGOs due to information in their membership database and data of their donors, which could also include credit card details.
ncG1vNJzZmivp6x7tK%2FMqWWcp51ku6bD0mifqKaXYriwusZoqqibmZrBunvAq6uim5yafHR%2BlmtnaW1fpMWnrcxmn6iml2K4sLrGZqCnrpWowaqzwK2gp59dpby0v8ibo55llJbBonnLnpikZZGbwaa%2BjKucr52Robavs4yiq2arpZuzpr7EnWScsZKav6LA05qapA%3D%3D