Published on November 9, 2023, 5:48 am
The Shangri-La hotel group recently confirmed a data breach that occurred between May and July of this year across eight of its properties in Asia. The affected hotels include Island Shangri-La, Kerry Hotel, and Kowloon Shangri-La in Hong Kong, as well as properties in Singapore, Chiang Mai, Taipei, and Tokyo. Guest information such as names, email addresses, phone numbers, postal addresses, membership numbers, reservation dates, and company names were compromised.
Upon discovering unauthorized activity on its IT network, Shangri-La enlisted the help of cyber forensic experts to investigate the breach. Brian Yu, Senior Vice President of Operations and Process Transformation at Shangri-La Group, confirmed that a sophisticated threat actor managed to illegally access the guest databases without detection. Certain data files were found to have been exfiltrated from these databases.
To offer reassurance, Yu stated that sensitive information like passport numbers, ID numbers, dates of birth, and credit card numbers (including expiry dates) were encrypted and not exposed. There is currently no evidence to suggest that guests’ personal data has been released or misused by third parties.
Nevertheless, as a precautionary measure, Shangri-La is providing affected guests with a one-year complimentary identity monitoring service offered by Experian—a cybersecurity provider—where local laws allow it. Guests can choose to participate in this optional service and determine which information they want to include.
In response to media inquiries about the timing of the breach coinciding with the top security summit held at the Shangri-La hotel along Orange Grove Road in June—the 19th Shangri-La Dialogue organized by the International Institute for Strategic Studies (IISS)—IISS clarified that data related to the event was stored separately and remained unaffected by the breach. The hotel spokesperson also stated that there was no specific evidence suggesting that any particular hotel or event was targeted.
Shangri-La is collaborating with local authorities, including Singapore’s Cyber Security Agency and Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD), to handle the cybersecurity incident. The PCPD expressed disappointment that Shangri-La only notified them and its customers of the breach more than two months after becoming aware of it. The PCPD emphasizes prompt notification from organizations in such cases to minimize damage and enable affected parties to take appropriate action.
Shangri-La emphasized its commitment to strengthening the security of its networks, systems, and databases, underscoring the importance they place on protecting guests’ information. While incidents like these are unsettling, organizations must continue prioritizing cybersecurity measures to safeguard personal data in today’s digital landscape.