SINGAPORE: Eight Shangri-La hotels in Asia, including Singapore and Hong Kong, were hit by a data breach, potentially exposing guest information such as names, email addresses and phone numbers.
Cyber forensic experts were called in to investigate after the discovery of unauthorised activities on Shangri-La’s IT network, said the hotel chain in an email to customers on Friday night (Sep 30).
“The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases,” said Mr Brian Yu, Shangri-La Group’s senior vice president of operations and process transformation.
The affected hotels are the Island Shangri-La, Kerry Hotel and Kowloon Shangri-La in Hong Kong, Singapore’s Shangri-La Apartments and Shangri-La Singapore, Shangri-La Chiang Mai, Shangri-La Far Eastern in Taipei and Shangri-La Tokyo.
“The investigation confirmed that certain data files had been exfiltrated from these databases,” said Mr Yu.
The databases contained a combination of guest names, email addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates and company names.
“We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted,” Mr Yu said, adding that there has been no evidence so far that the personal data has been released by third parties or misused.
“Nevertheless, as an added precaution, we are also offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party service provider, in destinations where local regulation permits.”
The identity monitoring service is optional and guests can decide how much information to include.
Shangri-La Group said it is cooperating with the relevant authorities on the matter.
Apologising to guests in the email, Mr Yu said: “Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems and databases.”