The Shangri-La hotel group admitted last Friday that a data breach occurred between May and July this year in eight of its properties across Asia.
The affected hotels are the Island Shangri-La, Kerry Hotel and Kowloon Shangri-La in Hong Kong, Singapore's Shangri-La Apartments and Shangri-La Singapore, Shangri-La Chiang Mai, Shangri-La Far Eastern in Taipei and Shangri-La Tokyo.
In an email informing affected guests, which was sent out Friday evening, the hotel group said the data breach involved databases that contain guest information such as names, email addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates and company names.
Shangri-La has called cyber forensic experts to investigate after unauthorised activities on its IT network were discovered.
"The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases," said Brian Yu, Shangri-La Group's senior vice president of operations and process transformation, said in email informing guests of the data breach.
He added that the investigation confirmed that certain data files had been exfiltrated from these databases.
"We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted," Yu said.
The hotel group assured there is presently no evidence that guests' personal data has been released by third parties or misused.
As a precaution, however, Shangri-La is offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party cybersecurity provider, in destinations where local regulations permit. The identity monitoring service is optional, and guests can decide how much information to include.
“Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems and databases,” said Yu.
Data breach occurred around the time of top security summit
The data breach happened during a period the Shangri-La hotel along Orange Grove Road hosted Asia's top security summit. The 19th Shangri-La Dialogue, organised by the International Institute for Strategic Studies (IISS), took place from June 10 to June 12.
US Defence Secretary Lloyd Austin and his Chinese counterpart General Wei Fenghe were at the event, but it was unclear how many attendees stayed in the hotel.
Responding to media queries from several news outlets in Singapore, the event organiser IISS said data related to the Shangri-La Dialogue was stored on a separate server and was not affected in the breach.
Meanwhile, asked if the Shangri-La Dialogue was specifically targeted, a Shangri-La spokesman told The Straits Times: “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.”
Working with local authorities
The hotel chain said it is collaborating with local authorities on the cybersecurity incident.
The Cyber Security Agency of Singapore said it is aware of the incident, and urged organisations to proactively monitor and check their IT networks regularly for signs of suspicious activity.
In Hong Kong, the city's privacy watchdog said it had been notified of the incident on Thursday evening. The Office of the Privacy Commissioner for Personal Data (PCPD) said the breach might involve personal information of over 290,000 Hong Kong guests, adding that it has launched a compliance check.
“We are disappointed to note that Shangri-La only formally notified the PCPD and informed its customers of the incident more than two months after it had become aware of the incident,” the HK privacy agency said in a statement.
PCPD calls on organisations to notify them as soon as possible of any data breach incident.
“Notification of a data breach incident will enable the PCPD to help the organisation and the affected parties to take appropriate and timely measures to minimise the damage caused by the incident to the organisation and the affected parties. The organisation should also notify the affected parties of the data breach incident as soon as possible,” it added.