Personal data stolen in ransomware attack on Hong Kong’s Ngong Ping 360 attraction

The operator of Hong Kong's Ngong Ping 360 cable car attraction has confirmed a significant ransomware attack that compromised personal data of multiple stakeholder groups. On February 27, 2026, the company detected irregularities in its internal network system and immediately alerted both Hong Kong police and the Office of the Privacy Commissioner for Personal Data. Subsequent investigation confirmed that attackers stole data and issued a ransom demand, prompting the company to issue a public apology to guests, employees, and relevant stakeholders. The breach represents another high-profile cybersecurity incident affecting Hong Kong's tourism infrastructure, following similar attacks on transportation and hospitality sectors in recent years.

The preliminary assessment revealed the breach compromised information about staff, annual pass holders, suppliers, and tenants at Ngong Ping Village, along with guests on promotional lists. Specifically, the stolen guest data consists of names and contact details including phone numbers and email addresses. The company emphasized that the compromised internal network was separate from the cable car operation system, ensuring that safety systems and electronic payment data remained unaffected. This separation likely prevented more severe operational disruptions, though the personal data exposure creates significant privacy concerns for affected individuals. The incident highlights ongoing cybersecurity vulnerabilities in tourism infrastructure despite increased digitalization efforts across Asia's hospitality sector.