The personal data of nearly 150,000 customers and employees of two hearing and speech centres in Hong Kong has been leaked after a ransomware attack, the privacy watchdog has said.

On August 22, Widex Hong Kong Hearing and Speech Centre and its subsidiary Starry Hearing and Speech Centre revealed they fell victim to a ransomware attack on July 5 that encrypted their internal system data and impacted their applications.

The breach potentially exposed customers’ sensitive information, including their names, dates of birth, gender, addresses, phone numbers, audiologists and hearing device records. But the centre did not disclose the number of people affected.

Hong Kong’s Office of the Privacy Commissioner for Personal Data said on Monday it received the company’s data breach notification on July 30.

Founded in 1956, Widex is a Denmark-based firm that specialises in hearing aids and related services. It offers a range of hearing devices designed to help people with hearing loss.

It also provides services such as hearing tests, speech therapy and tinnitus care.

Its Hong Kong branch was established in 1986 and is said to be the first private institution that offered hearing and speech therapy services in the city. It operates six service centres, providing hearing assessments, hearing aid prescriptions and speech and swallowing therapy, among others.

The leaked data of current and former Widex employees comprised their names, salary details, superannuation, bonuses and bank account numbers.

On September 10, WS Audiology, Widex’s parent company based in Denmark, said it identified on July 5 unauthorised access to the local retail IT system of Bloomhearing stores in Australia and New Zealand, which also included some data related operations in Hong Kong and Singapore.

It said the perpetrators had temporary access to personal data including that of hearing aid patients and employees. It said data could have been copied but not lost due to its backup systems.

A spokesman for the watchdog said that according to preliminary information provided by the affected centres, about 148,000 customers and between 30 to 50 current and former employees were affected.

He added that the final number was still under investigation.

The hearing centres in Hong Kong said they had taken immediate action to contain the incident and secure their systems.

They had notified the watchdog and were actively cooperating with investigations.

“We are actively liaising with the authority and will continue to do so until this matter is resolved.”

In response to the incident, Widex has advised affected people to remain vigilant, update their passwords, activate multi-factor authentication where possible, and maintain good online security practices, including avoiding opening messages or clicking on links from unknown senders.

“We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused,” it said.

The centre advised its clients to monitor the website for further updates if they believe they might have been affected.

The company continued to investigate the extent of the breach and promised to provide updates as more information becomes available. – South China Morning Post