Hackers stole thousands of records from the newly built Transport Department Vehicle Examination Centre

Hackers have attacked the government’s new Transport Department Vehicle Examination Complex (TDVEC), stealing private data on as many as 28,000 vehicles.

Full data on vehicles booked in for tests, including vehicle registration numbers, vehicle chassis numbers and vehicle owners’ names, as well as contact numbers of vehicle owners, were stolen in the attack, according to Transport Department (TD).

TD says the attack came to light when officials noticed problems with the computer system and were unable to login. An investigation by Electrical and Mechanical Services Department (EMSD) found that computer problems at the complex were caused by hacking.

A government spokesman says TD has reported the incident to the police, the Office of the Government Chief Information Officer, and the Office of the Privacy Commissioner for Personal Data, and will fully cooperate with their investigations.

TDVEC is the largest and newest vehicle examination centre in Hong Kong, opened in April this year to replace three centres at Kowloon Bay and To Kwa Wan. It features 30 vehicle inspection lanes for vehicles from motorcycles to heavy trucks, together with chassis dynamometers for commercial vehicles, tilting stability test platform, a track lane and test ramps for brake testing, a swept-circle testing area and axle weighbridges.

TD and EMSD are closely following up the computer system repair work and will “resume the vehicle examination scheduling service as soon as possible”, says a government spokesman. “TD appeals to the vehicle owners or their representatives to pay attention to calls from unknown sources.”

The news comes a month after local sources revealed criminal gangs had taken over the vehicle inspection booking system at To Kwa Wan Vehicle Inspection Centre, reselling scarce motorcycle slots for huge profit.

Gangs were said to organise stand-ins to queue either online or in person at TD, grabbing all available online spots within minutes and selling them to bike owners for as much as HK$3,000 – gangsters are making HK$200,000 a month according to one estimate.

Choy Yuk-ling was convicted for making a false statement after using a TD database for journalistic purposes

Many other questions have been raised on vehicle privacy this year, with the arrest and criminal conviction of journalist Choy Yuk-ling, who used a TD database to access information on vehicles thought to be involved in a triad raid.

Reporter Wong Kai-keung was bound over for a year after using the same database to identify stalkers who were harassing journalists at his newspaper.

In both cases, prosecutors argued that the use of TD data for journalistic purposes is not acceptable.

Vehicle data access enforcement was sharpened in 2012 after a car park operator, Imperial Parking, was found to be using car licence plates to sell insurance and car club memberships, with Imperial claiming it needed the data “for legal purposes”. However, although legal precedents were then set for tightening use of the TD database, Imperial was never charged.

In recommending no enforcement, The Office of the Privacy Commissioner for Personal Data stated at the time that they thought Imperial would not offend again.