Hong Kong, China — A recent cyberattack on Hongkong Post’s online mailing system has resulted in a major data breach affecting tens of thousands of users. According to officials, the hacker managed to access sensitive contact information from the EC-Ship platform, which is widely used for managing and sending mail.
Postmaster General Leonia Tai revealed that the attacker was able to view information stored in the address books of approximately 60,000 to 70,000 EC-Ship accounts. These records contained the names, addresses, email IDs, and phone numbers of both senders and recipients, as well as company names and fax numbers.
EC-Ship is a digital tool operated by the Hongkong Post, which helps individuals and businesses arrange mail deliveries locally and internationally. The platform allows users to save contact information, print shipping labels, and track parcels.
The breach began on Sunday night and continued into Monday. According to Tai, the attacker created a legitimate account on the platform and began exploring weaknesses in the system’s code. Though the system recognized unusual activity and temporarily suspended the attacker’s access, the hacker continued trying different techniques. Eventually, they discovered a flaw in the program’s code that allowed them to reach data stored in other users’ address books.
Tai stated that the issue was quickly identified and the affected programming code was patched to block further intrusions. However, the hacker had already extracted confidential information from a large number of users. The Hongkong Post has contacted affected account holders by email and asked them to alert anyone whose information may have been exposed.
Law enforcement agencies have launched an investigation into the incident. In the meantime, Hongkong Post is seeking expert advice to strengthen its digital defences.
Cybersecurity professionals have raised concerns over where the EC-Ship system is hosted. Some believe that sensitive systems like this should operate on government cloud servers, which offer more advanced protection. Tai responded that Hongkong Post follows standard security procedures and that their internal systems did detect and respond to the attack.
Efforts are now underway to migrate the EC-Ship service to a central government-managed internet platform that uses multiple layers of protection and round-the-clock monitoring. Officials hope this will reduce the chances of future incidents and better safeguard users’ data.
