Review by Hong Kong police reveals how critical infrastructure operators are vulnerable to online attacks
Far too many companies in Hong Kong have left themselves vulnerable to cyberattacks, according to a new police review that should warn all operators to immediately step up their game. Regular security checks are required by law for private firms with infrastructure deemed “critical” for the normal functioning of society. The rules in place since March apply to an undisclosed list of players in sectors such as energy, information technology, banking, communications, maritime, healthcare and transport.
Police recently found that about 5 per cent of publicly accessible technology assets owned by such operators were vulnerable to online attacks. A first-of-its-kind review turned up loopholes in 4,500 out of 90,000 pieces of technology assets examined. The force also revealed that it had received over 440,000 pieces of intelligence on cyberthreats targeting the city last year. Hacking cases have been rising, with losses surging over the past two years. Greater diligence is required.
Regulated firms have more than just a fear of hackers to prompt better security. Under the law, they may be fined up to HK$5 million for failing to keep their systems up to date. The companies are also now obliged to notify authorities of any breach within 12 hours.
Do you have questions about the biggest topics and trends from around the world? Get the answers with
SCMP Knowledge
, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.
It is encouraging that police have quickly carried out an initial review. They found 495 assets at critical or high risk with issues such as staff login credentials exposed, unused subdomains that risk being taken over by hackers, or cloud services exposed to external access.
Raymond Lam Cheuk-ho, chief superintendent of the cybersecurity and technology crime bureau, said if those “critical or high-risk loopholes” were exploited, serious disruptions would be “extremely likely”.
Companies involved have already taken steps to remedy loopholes discovered in the survey, but it is worrying that cyberattacks exploited obvious vulnerabilities such as insufficient monitoring of remote access computers, outdated security software, or poor cyberthreat response policies.
Hong Kong is certainly not alone in the global struggle to stay ahead of cybercrime. The report is a welcome assessment of how much more needs to be done.
More Articles from SCMP
Trump-Xi call: China hawk Rubio missing in action as leaders rekindle trade hopes
US-China trade call’s impact on manufacturers, Trump and Musk feud: SCMP daily highlights
No polled US firms in China shifting production back to US, AmCham survey finds
With US-China rivalry ‘putting the squeeze’ on Asian markets, is taking sides an option?
This article originally appeared on the South China Morning Post (www.scmp.com), the leading news media reporting on China and Asia.
Copyright (c) 2025. South China Morning Post Publishers Ltd. All rights reserved.
