Klook Notifies Customers of Potential Third-Party Data Breach Incident

HONG KONG, June 29, 2018 /PRNewswire/ -- Klook has become aware that certain customer information may have been accessed without authorisation, as a result of a malicious JavaScript code associated with a third-party web-based analytics tool, SOCIAPlus (the "third-party provider"), which Klook used on its website. Immediately upon discovering it, Klook has disabled the feature to protect our customers, and is actively conducting an investigation alongside an independent forensics company. Upon enquiry, Klook received confirmation from the third-party provider that the source of the data breach was a single piece of JavaScript code that was infected.

The incident resulted in the possible compromise of personal data and credit card information provided by customers. Transactions made on the Klook website between December 11, 2017 to June 13, 2018 may have been impacted, and those made via the Klook mobile app (both iOS and Android) were not. While investigations are ongoing and Klook is working to categorically exclude customers from risk, Klook estimates that approximately 8% of users may have been affected. Klook has actively reached out to notify potentially impacted customers.

In addition, Klook has completed a primary investigation with Kroll, a global leader in cyber security and forensics investigation. Since the removal of the JavaScript, there is no indication of data loss. Klook and the third-party provider are cooperating to continue with further investigations on this incident. The third-party provider claims it is confident that this was an isolated incident, and that the vulnerability occurred due to a specific custom implementation conducted by the third-party provider.

Klook takes data security and the handling of customer information very seriously. The company's first priority is to protect its customers' interests and has hence decided to take swift and proactive actions to address the issue:

  • Klook has notified the relevant regulatory authorities
  • Klook will be reviewing its existing cyber security protocols regularly, and will also implement even stricter review processes for materials from third-party providers
  • Klook will continue investigations with Kroll to determine more facts surrounding this incident

The company has put all appropriate resources behind these efforts to maintain a safe environment for customers to enjoy Klook's services.

Further updates will be provided at https://www.klook.com/news/announcement.

The following dedicated channels for concerned parties have been set up: