Circle K Hong Kong Paralyzed: System Outage Halts Payments Across 400 Stores

The Circle K convenience store chain has reported a system outage in Hong Kong that effectively paralyzed operations across nearly 400 locations for several days. The incident disrupted electronic payments, corporate email, and the loyalty program, forcing the retailer to temporarily rely on limited payment methods. While the stores have remained open, customers have been able to pay only in cash or through Octopus, the region’s widely used contactless card.

The company stated that it does not rule out the possibility of a cyberattack. In a statement published Monday on Circle K’s official Facebook page, it noted that specialists had promptly taken measures to safeguard the data of customers, employees, and suppliers, while also engaging police and independent digital forensics experts to determine the cause, scale, and impact of the disruption. Circle K emphasized that its current priority is the safe restoration of key services.

The problems first emerged over the past weekend. Notices appeared in shop windows at several locations—including those in the bustling Causeway Bay district—announcing the suspension of cashless transactions due to a “network failure.” As of September 23, customers continued to voice widespread complaints on social media, particularly about being unable to redeem loyalty points and coupons that had since expired, demanding that the company extend their validity. However, no further official updates had been issued since Circle K’s initial statement on September 22.

Circle K Hong Kong is owned by the Canadian corporation Alimentation Couche-Tard, which operates the brand across North America and other regions. The former regional licensee, Convenience Retail Asia (CRA)—which had managed Circle K in Hong Kong since the 1980s before transferring control to Couche-Tard in 2020—also confirmed experiencing network problems on Monday. CRA reported that its internal systems had been affected and notified the police, though it remains unclear whether the two incidents are connected.

This is not the first time Circle K has been targeted by cybercriminals in different countries. In January 2025, the chain’s largest U.S. franchisee, Gas Express, disclosed the theft of personal data, including names, Social Security numbers, and driver’s license details. In the summer of 2024, a ransomware group claimed responsibility for an attack on Circle K’s Atlanta operations. A year earlier, researchers uncovered an exposed dataset containing partial payment card information, loyalty program numbers, and employee contact details. At the time, the company merely stated that the vulnerability had been resolved, offering no further comment.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy