More than 90 per cent of Hong Kong companies, schools, and NGOs have incorporated artificial intelligence (AI) into their workflows, according to a survey.

According to a survey of 800 organisations conducted by the Hong Kong Internet Registration Corporation Limited (HKIRC), 94 per cent said they had used AI tools.

Among those, 63 per cent had not established an internal AI usage policy for employees, while 68 per cent had not conducted any AI training, the survey found.

HKIRC CEO Wilson Wong said on Tuesday that employees at almost half of the surveyed organisations had used unauthorised AI tools.

“While the penetration rate of AI in the workplace is exceptionally high, most organisations still face security risks regarding governance, tool usage and training,” Wong was quoted as saying in a statement issued by the government’s Digital Policy Office (DPO).

He was speaking at a joint press conference on cybersecurity, alongside representatives from the DPO, the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau, and the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT).

Security risks

Wong cited an earlier survey by the HKCERT, which found around 35 per cent of businesses using AI admitted to feeding company information into AI tools.

Some employees used open-source AI tools to process meeting minutes, for instance, which could lead to errors or data leaks, he added.

Wong said the HKIRC, which oversees Hong Kong domain names, would launch the Secure AI@Work Enablement Campaign to provide training and assistance in formulating AI policies, as well as suggestions for suitable AI tools and regulations on information that should not be processed by AI.

The campaign “will assist organisations in plugging governance gaps through training, AI strategy and policy formulation tools and advisory services,” the statement said.

Edmond Lai, chief digital officer of the Hong Kong Productivity Council, the parent organisation of the HKCERT, said that the HKCERT would seek to bolster public education and talent cultivation in AI and cybersecurity through publicity campaigns, such as AI-generated tram advertisements and videos.

A global cyberattack on online learning platform Canvas has compromised the personal information of more than 72,000 students and staff at Hong Kong schools and universities, according to the city’s privacy watchdog.

The data breaches are part of a global attack that hit almost 9,000 educational institutions worldwide, involving data from 275 million users, according to the platform’s developer, Instructure.

Seven local institutions, including three public universities, have reported the breaches to the Office of the Privacy Commissioner for Personal Data (PCPD).

They are: the Hong Kong University of Science and Technology (HKUST), the Hong Kong Polytechnic University (PolyU), City University of Hong Kong (CityU), the Hong Kong Academy for Performing Arts, the Hong Kong Art School, the Hong Kong Institute of Construction (HKIC), and Hong Kong Education City Limited.

The ShinyHunters hacker group allegedly held Instructure to ransom, threatening to leak the information unless the company paid, according to international media.

Instructure said it had reached an agreement with the hacker group to prevent a public leak and gave assurances that no personal information had been compromised.

Student and staff information

The CityU breach involved 28,000 students, according to the university’s report to the PCPD, the privacy watchdog said in a statement on Monday. The leaked data may have included student names, email addresses, student IDs, and messages.

The breach also affected 42,000 students and staff at PolyU, with their names and email addresses potentially compromised, according to the PCPD.

The watchdog “has advised the relevant organisations to notify those affected as soon as possible and to provide assistance as appropriate in each case, in order to prevent the breach from escalating,” it said.

Some 2,500 students and staff at the HKIC and 71 students at the Hong Kong Art School were hit by the breach. The other three institutions have yet to confirm the number of people affected.

Cybersecurity officials have called on institutions to suspend use of the online learning platform and remain vigilant against potential follow-up phishing attacks.

The Hong Kong Productivity Council chief digital officer Edmond Lai said at a press conference on Monday that such attacks could lead to further data leaks or unauthorised transactions.

He also said that the Hong Kong Computer Emergency Response Team Coordination Centre is using artificial intelligence tools to identify phishing websites potentially linked to the Canvas hack.

Meanwhile, Chief Superintendent Raymond Lam said at a press conference on Tuesday that two police reports had been made in relation to the Canvas hack.

One report was filed by a local institution, while the other involved people who used the incident as a pretence to deceive a resident.

NEW YORK, June 2 — Meta is facing scrutiny after security researchers found that its AI‑powered support chatbot could be manipulated to grant unauthorised access to Instagram accounts.

Futurism reported that multiple users and cybersecurity researchers demonstrated how Meta’s automated support agent — designed to help with account recovery — could be tricked into handing over access links simply by claiming to be the account owner. In several documented cases, the bot allegedly provided password‑reset or login‑recovery URLs without verifying the requester’s identity.

According to the report, the vulnerability allowed attackers to bypass standard security checks, including two‑factor authentication, by exploiting the chatbot’s willingness to accept unverified claims. Screenshots shared by researchers showed the bot responding with recovery links after minimal prompting.

Meta told Futurism that it had taken action to address the issue, but did not specify what changes were made. The company also said it had not found evidence of “widespread abuse,” though researchers quoted in the article argued that the flaw was significant and easily exploitable.

Cybersecurity analysts warned that the incident highlights broader risks in deploying AI systems for sensitive support functions without robust verification safeguards. Some experts said the case underscores how AI‑driven customer service tools can unintentionally create new attack surfaces if not properly secured.

The report noted that several affected Instagram users have since regained control of their accounts.