Hackers have breached the database at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Chiang Mai, Hong Kong, Singapore, Taipei and Tokyo.
The group’s senior vice-president for operations and process transformation, Brian Yu, sent an email on Friday to all guests who are affected, saying: “A sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases.”
The email continued:
Dear Valued Guest,
We are writing to inform you of a data security incident that occurred at a Shangri-La hotel that you may have stayed in. Shangri-La has reported the incident to relevant authorities and is cooperating with them.
We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you.
What happened
Following the discovery of unauthorized activities on Shangri-La’s IT network, we engaged cyber forensic experts to investigate the anomalies. The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed the guest databases of the following hotels:
- Island Shangri-La, Hong Kong
- Kerry Hotel, Hong Kong
- Kowloon Shangri-La, Hong Kong
- Shangri-La Apartments, Singapore
- Shangri-La Singapore
- Shangri-La Chiang Mai
- Shangri-La Far Eastern, Taipei
- Shangri-La Tokyo
The investigation confirmed that certain data files had been exfiltrated from these databases. Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data.
What information may have been involved
The databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names. We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted.
How we can help
To date, we have no evidence that your personal data has been released by third parties or misused. Nevertheless, as an added precaution, we are also offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party service provider, in the destination where local regulation permits.
The service (Experian IdentityWorksSM) monitors if your personal information may be on the web, social networks and public databases. This is an optional service, and how much information to include in the identity monitoring is completely at your discretion.
If you would like to use this service, please register directly at http://www.globalidworks.com/identity1 using the following unique code: [a unique code is provided here for each affected guest] on or before 31 December 2022.
For more information
If you have any further questions about the incident, you can contact us by:
- visiting our dedicated website at https://mysupport.shangri-la.com
- emailing us at customer.svc@shangri-la.com
- online chat:
Chinese: https://static.shangri-la.com/corporate/chat/zh.html
English: https://static.shangri-la.com/corporate/chat/en.html
- calling our dedicated call centre (toll-free numbers available at https://mysupport.shangri-la.com
Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. We encourage you to be on the lookout for any suspicious activities or notifications across your accounts.
Once again, we deeply regret any inconvenience or concerns this incident may cause.
Yours sincerely,
Brian Yu
Senior Vice President, Operations and Process Transformation
Shangri-La Group
Edited by Peter Needham
.jpg){kind=tracking}
