Suspected cyberattack disrupts Circle K chain’s operations in Hong Kong

Convenience store chain Circle K said a “network disruption” has paralyzed its Hong Kong operations for several days, forcing nearly 400 outlets across the city to suspend most electronic payment and loyalty services.

The retailer said the incident, first reported over the weekend, affected e-payment systems, email services, and loyalty programs. Circle K stores remain “open and operating,” and customers can still pay with cash or Octopus, Hong Kong’s widely used contactless smart card.

“As we cannot rule out a possible cyberattack, we have acted quickly to secure customer, employee and supplier data, and are working with law enforcement and third-party forensics experts to determine the cause, scope and extent of this breach,” the company said in a statement on Facebook on Monday.

The company has not issued further updates and did not respond to Recorded Future News’ request for comment. As of Tuesday, customers on its Hong Kong social media page were still reporting outages and complaining about the expiration of loyalty points and coupons, urging the firm to extend deadlines.

Circle K Hong Kong is owned by the Canadian company Alimentation Couche-Tard, which operates Circle K stores throughout North America and elsewhere. 

A Circle K outlet in Causeway Bay, Hong Kong’s main retail district, displayed notices saying e-payments were suspended due to a “network outage,” according to local media reports.

Circle K Hong Kong’s former parent, Convenience Retail Asia (CRA) — which licensed the brand in the 1980s and sold it back to Alimentation Couche-Tard in 2020  — also reported a network disruption on Monday. CRA said its internal systems were affected and that it had notified law enforcement, though it is unclear whether the incidents are linked.

Circle K outlets have been repeatedly targeted in cyber incidents worldwide. In January, the chain’s largest U.S. franchisee, Gas Express, disclosed that hackers had stolen names, Social Security numbers and driver’s license details. In June 2024, a ransomware group reportedly claimed responsibility for breaching Circle K Atlanta.

In 2023, researchers also found a Circle K dataset left exposed online, containing partial payment card details, customer loyalty numbers and employee contact information. The company said it had fixed the issue but did not comment further.