The computer servers of the Faculty of Education (“Faculty”), HKU were under cyberattack on January 30. Upon discovering the incident, the Faculty took immediate actions to ensure the isolation of the servers. An external cybersecurity consultant and the Information Technology Services (ITS) of HKU promptly commenced the conduct of a thorough investigation.

The Faculty was able to inspect a log file on February 2 and subsequently identified that internal files might have been exfiltrated, including the Faculty’s room booking records; internal guidelines; system management files; as well as meeting agenda papers and minutes dating back to 2012.

Upon the Faculty’s preliminary evaluation, the personal data in the files might include information on around 400 academic visitors, around 3,000 students’ study status, and around 4,000 applicants of research degree programmes.

At the moment, there is no evidence suggesting that salary information, bank account details, or HKID numbers of any individuals have been exfiltrated.

The Faculty condemns all forms of unlawful cyber activities. The incident has been reported to the Hong Kong Police Force and the Office of the Privacy Commissioner for Personal Data. The Faculty is also working actively to review and mitigate the impact of the incident and strengthen its overall cybersecurity measures with advice from ITS. The Faculty is notifying students and alumni about the incident, and may issue further notifications upon continuous review of the situation.

The Faculty expresses its sincere apologies for any inconvenience caused to those potentially affected. They should remain vigilant against any abuse, misuse, or malicious/unlawful use of personal data and may contact the Faculty at the designated email address (edu2024data@hku.hk) for enquiries.

For media enquiries, please send them to the Faculty of Education at eduert@hku.hk.