Shangri-La says data breach at hotels, guests' info potentially leaked

SINGAPORE - A database breach has occurred at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei and Tokyo.

In an email informing affected guests, the group's senior vice president for operations and process transformation Brian Yu, said: "A sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected, and illegally accessed the guest databases."

Its investigation revealed that the breach took place between May and July 2022.

It was around that time that Asia's top security summit Shangri-La Dialogue returned to Singapore after a two-year pandemic hiatus. The event was held at the eponymous Shangri-La hotel in downtown Orchard Road from June 10-12.

In the email, Mr Yu confirmed that certain data files had been exfiltrated from the breached databases.

" Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.

The following properties are affected:

• Shangri-La Apartments, Singapore

• Shangri-La Singapore

• Island Shangri-La, Hong Kong

• Kerry Hotel, Hong Kong

• Kowloon Shangri-La, Hong Kong

• Shangri-La Chiang Mai

• Shangri-La Far Eastern, Taipei

• Shangri-La Tokyo

The hotel group said it engaged cyber forensic experts to investigate the anomalies following the discovery of unauthorised activities on its network.

It added that the databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names.

[[nid:589826]]

The hotel group assured guests that there is currently no evidence that guests' personal data has been released by third parties or misused.

As a precaution, however, it is offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider, in destination where local regulation permits.

"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr Yu in the email.

He assured guests that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted.

"Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. Once again, we deeply regret for any inconvenience or concerns this incident may cause," he added.

This article was first published in The Straits Times. Permission required for reproduction.