Shangri-La Group issued an announcement on its official website on Sept. 30, stating that its 8 hotels were found to have been hacked by professional cyber attackers, bypassing the group’s security monitoring system, and after investigation, it was found that the contact information of some guests was leaked. The group apologized to the affected customers and emphasized that the incident did not affect the general operation of the hotel. The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) said on Oct. 1 that the personal data of more than 290,000 Hong Kong customers may have been affected and a compliance check has been launched.
Brian Yu, Senior Vice President, Operations & Process Transformation of Shangri-La Hotels and Resorts, issued a notice to the members of the hotel group on Oct. 1, saying that after unauthorized activities were discovered in the hotel’s IT network, a network security expert has been appointed immediately to investigate the anomaly.
It was found that between May and July this year, professional cyber attackers bypassed its IT security monitoring system and illegally accessed the hotel’s guest database, involving eight of its hotels:
. Island Shangri-La, Hong Kong
. Kerry Hotel, Hong Kong
. Kowloon Shangri-La, Hong Kong
. Shangri-La Apartments, Singapore
. Shangri-La Singapore
. Shangri-La Chiang Mai
. Shangri-La Far Eastern, Taipei
. Shangri-La Tokyo
The group also said that the affected hotel database contained a combination of data including guest names, email addresses, telephone numbers, postal addresses, membership numbers of its club, booking dates, and company names.
In the relevant notice, the group assured members that information such as passport numbers, ID numbers, dates of birth, credit card numbers, and expiry dates are encrypted and protected.
The group emphasized that it had taken all necessary measures to strengthen the security of its networks, systems, and databases, and advised customers to stay alert against any suspicious activity or notifications.
Shangri-La will provide affected guests with a free one-year personal data monitoring service to monitor whether personal data may appear on the Internet, social media, and public databases.
This is an optional service. Customers who are affected can go to the relevant website and register with the personal code provided on the email before Dec. 31. Relevant information can also be found on the relevant webpage.
PCPD said on Oct. 1 that it received a notification of a data breach from Shangri-La (Asia) Limited on Sept. 29. The PCPD noted that there may be more than 290,000 local customers’ personal information being affected.
Taking into account the nature of the accident and the large number of people affected, the office has launched a compliance check of the incident.
PCPD expressed its disappointment that the group only notified the office and relevant customers two months after it had become aware of the incident.
PCPD also pointed out that no inquiries from the public regarding the incident have been received so far.