Hong Kong Privacy Office Says It Is ‘Disappointed’ With Breach Notification
A cybersecurity incident at Shangri-La Group hotels may affect hundreds of thousands of guests who visited the Asian hotel chain’s flagship properties.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
The Hong Kong-based hotel and commercial real estate company operates 104 hotels in Asia under different names including Traders and Jen. It says the breach mainly affects Shangri-La-branded hotels in Hong Kong, Singapore, Tokyo, Thailand and Taiwan. One Kerry Hotel-branded location in Hong Kong is also affected by the actions of someone the company calls “a sophisticated threat actor” who bypassed monitoring systems to access the guest database.
Attackers did not encrypt data, and the company says it is unable to provide details about the culprit. The hotel chain has “not been able to confirm the exact contents of the exfiltrated data files,” Olivia Christensen, assistant vice president for corporate communications at Shangri-La Hotels and Resorts, tells Information Security Media Group.
Affected databases contained data including guest names, email addresses, phone numbers, postal addresses and reservation dates. The hotel chain encrypts identifying information such as passport numbers, birthdates and payment card numbers in its database, Christensen says.
The company ended 2021 with revenue of $1.2 billion. A majority of its hotel revenue comes from guests staying in properties located in mainland China.
The Hong Kong Office of the Privacy Commissioner for Personal Data says the incident may affect more 290,000 individuals and expressed disappointment about the chain’s breach notification response. The hotel chain acknowledges becoming aware of suspicious activities in July and says access to its guest database started in May.
“We are disappointed to note that Shangri-La only formally notified the PCPD and informed its customers of the incident more than two months after it had become aware of the incident,” the data protection authority said in a statement shared with ISMG.
Shangri-La says it waited until the threat actor had been firmly removed from its systems. “Guests were notified as soon as we were assured that our system was secure.”
The investigations have, so far, found no evidence of misuse of the customers’ personal information, but the hotel chain is providing a free third-party identity monitoring service to its customers for one year.
Just weeks ago, publicly traded InterContinental Hotels Group was also caught up in a cyberattack that lasted at least three days and disrupted the hospitality chain’s reservation system (see: Online Attack Disrupts InterContinental Hotels Group).
In February, a data breach incident affected 1.2 million guests of Hong Kong’s Harbour Plaza Hotel (see: Data Leak at Hong Kong’s Harbour Plaza Hotel Affects 1.2M).