“The threat actor claimed to have access to the customer records of the group and invited bids for access to such records,” it said.

The business group said it was conducting an investigation with the help of a cybersecurity consultancy firm.

The post claimed that the forum user had the membership information of 5 million Lukfook Jewellery customers and planned to sell the data for 25,000 Tether coins, worth about HK$195,000.

According to its interim report for the 2023-24 financial year, Lukfook Jewellery has 66 shops in Hong Kong and Macau, as well as more than 3,200 outlets in mainland China.

The company said the investigation “involved, among others, an assessment of the validity and underlying cause of the [incident] and a comprehensive review of the security of the group’s systems and servers”.

“As of the date of this announcement, said investigation is still ongoing, and it is not certain whether there has been any leakage of customers records … and if so, the extent of the leak,” it said.

Luk Fook Holdings said the incident had been reported to police and the Office of the Privacy Commissioner for Personal Data, with authorities to assist with the investigation.

“The group is committed to protecting its customers’ information and their privacy to defend against any such incident in the future by continuously strengthening its information system security measures,” it added.

The city’s privacy watchdog said it had received a notification from the company over the alleged incident.

Lawmaker Elizabeth Quat, who chairs the Legislative Council’s information technology and broadcasting panel, expressed disappointment over the company’s failure to inform the public before reports of the alleged hack emerged in the media.

She also urged the government to tighten up privacy laws to increase penalties against enterprises and organisations that failed to quickly report data breaches.

The privacy commissioner’s office also said it earlier received a report of a data breach at the Hong Kong College of Technology on February 21, with a subsequent investigation showing about 8,100 students had been affected.

The leaked information includes students’ names, ID card numbers, email addresses, phone numbers and residential addresses.

The watchdog asked anyone affected to be vigilant if they received phone calls or text messages from unknown contacts. They should check for suspicious activities involving their email and bank accounts, it added.

They were also warned to be careful when opening any email attachments or hyperlinks from suspicious senders.

The college said its IT network and server were hacked in February, describing the incident as a “highly targeted and unusual cyberattack”.

According to local media, a ransomware group was believed to have stolen 450GB of data and shared the information on the dark web earlier this week.

The college said it had shut down the affected IT system and launched an investigation.

It also apologised for the data leak and said the incident had been reported to police and the privacy commissioner’s office.

Those affected by the data leak would receive free credit and dark web monitoring services for six months, the college added.

The Education Bureau confirmed on Friday that the college had reported the incident in late February.

“The bureau has asked the college to comprehensively investigate the incident and to take appropriate measures to strengthen network security to prevent similar attacks in the future,” a spokesman said.

“It has also asked the college to submit a report after it finishes its investigation.”

Police have said they are investigating the case.

“The cyber security and technology crime bureau is following up on the case. There have not been any arrests so far,” the force said.