A database breach at Shangri-La Group has potentially exposed the personal information of guests who stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei, and Tokyo.
Mr. Brian Yu, the group's senior vice-president for operations and process transformation, stated in an e-mail to affected guests on Friday: "A sophisticated threat actor managed to bypass Shangri-IT La's security monitoring systems undetected and illegally accessed the guest databases." The breach occurred between May and July 2022, according to its investigation.
Around the same time, Asia's top security summit, the Shangri-La Dialogue, returned to Singapore after a two-year hiatus due to the pandemic. From June 10 to 12, the event was held at the eponymous Shangri-La hotel on Orange Grove Road near Orchard Road. In the e-mail sent to the affected guests, Mr. Yu confirmed that certain data files had been stolen from the breached databases.
"Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.
Upon being asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesman said, “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.”
"Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected in this incident," stated a spokesman for the event's organiser, the International Institute for Strategic Studies (IISS).
The Singapore Cyber Security Agency mentioned that it is aware of the incident and urged organisations to monitor and check their IT networks for signs of suspicious activity regularly. The properties affected are listed below:
• Shangri-La Apartments, Singapore
• Shangri-La Singapore
• Island Shangri-La, Hong Kong
• Kerry Hotel, Hong Kong
• Kowloon Shangri-La, Hong Kong
• Shangri-La Chiang Mai
• Shangri-La Far Eastern, Taipei
• Shangri-La Tokyo
Following the discovery of unauthorised network activity, the hotel group said it hired cyber forensic experts to investigate the discrepancies. The databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names, according to the statement.
The hotel chain assured guests that there is currently no evidence that their personal information has been released or misused by third parties. As a precaution, in destinations where local regulations allow, it is providing affected guests with a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider.
"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr. Yu in the e-mail.
He ensured guests that data such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted. "Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. Once again, we deeply regret any inconvenience or concerns this incident may cause."
