Eight Shangri-La hotels in Asia hit by data breach, potentially exposing guest information
Hackers managed to bypass Shangri-La’s IT security monitoring systems undetected between May and July 2022.
The Shangri-La Hotel at Orange Grove Road on Jan 15, 2021. (Photo: Jeremy Long)
SINGAPORE: Eight Shangri-La hotels in Asia, including Singapore and Hong Kong, were hit by a data breach, potentially exposing guest information such as names, email addresses and phone numbers.
Cyber forensic experts were called in to investigate after the discovery of unauthorised activities on Shangri-La’s IT network, said the hotel chain in an email to customers on Friday night (Sep 30).
"The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases," said Mr Brian Yu, Shangri-La Group's senior vice president of operations and process transformation.
The affected hotels are the Island Shangri-La, Kerry Hotel and Kowloon Shangri-La in Hong Kong, Singapore's Shangri-La Apartments and Shangri-La Singapore, Shangri-La Chiang Mai, Shangri-La Far Eastern in Taipei and Shangri-La Tokyo.
"The investigation confirmed that certain data files had been exfiltrated from these databases," said Mr Yu.
The databases contained a combination of guest names, email addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates and company names.
"We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted," Mr Yu said, adding that there has been no evidence so far that the personal data has been released by third parties or misused.
"Nevertheless, as an added precaution, we are also offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party service provider, in destinations where local regulation permits."
The identity monitoring service is optional and guests can decide how much information to include.
Shangri-La Group said it is cooperating with the relevant authorities on the matter.
Apologising to guests in the email, Mr Yu said: "Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems and databases."
The 19th Shangri-La Dialogue, organised by the International Institute for Strategic Studies (IISS), took place from Jun 10 to Jun 12.
Responding to CNA's queries, IISS said data related to the Shangri-La Dialogue was stored on a separate server and was not affected in the breach.
Established in 2002, the dialogue serves as the premier defence and security conference in the Asia-Pacific region.
Visitors to this year's summit included Japanese Prime Minister Fumio Kishida, US Secretary of Defense Lloyd Austin and China's Defence Minister Wei Fenghe.
