Data breaches impacting eight Shangri-La hotels around Asia, including Singapore and Hong Kong, have been exposed

A police vehicle drives past the venue of the Shangri-La Dialogue summit in Singapore on June 10, 2022. (Photo by Roslan RAHMAN / AFP)

Shangri-La just revealed its hotels across Asia breached, guest data at large?

It seems appropriate that during Cybersecurity Awareness Month, data breaches impacting organizations large and small keep coming to light. Recent high-profile incidents included the first reported about Australian telecommunications networks Optus and Telstra, and now data breaches impacting eight Shangri-La hotels around Asia, including Singapore and Hong Kong, have been exposed.

It has become increasingly evident that major brands that have been hit by cyber intrusions, particularly those affecting sensitive personal data of clientele, keep their cards close to their chests in fear of reputational damage and public backlash for lax data protection measures. The Shangri-La Group appears to fall into that category of not immediately disclosing the information leak that allegedly took place between May and July. Affected guests only were informed in an email on September 30 that their information was potentially affected by unauthorized activities on the Group’s network.

“The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases,” said Brian Yu, the Group’s senior vice president of operations and process transformation. “The investigation confirmed that certain data files had been exfiltrated from these databases.”

Ironically, the cybersecurity incidents appear to have occurred around the time of the Shangri-La Dialogue security conference that took place in mid-June, and was held at the eponymous hotel in Singapore after a hiatus of two years as a consequence of the pandemic.

Spokespeople for both Shangri-La Singapore and the event organiser, the International Institute for Strategic Studies (IISS), told the Straits Times that “Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected” by the breach, nor was any guest information disclosed from the conference.

Data breaches impacting eight Shangri-La hotels around Asia, including Singapore and Hong Kong, have been exposed

Police stand guard outside the venue of the Shangri-La Dialogue summit. (Photo by Roslan RAHMAN / AFP)

The hotels and residences under the Group that were directly impacted by the data breach are Shangri-La Apartments Singapore, Shangri-La Singapore, Island Shangri-La Hong Kong, Kerry Hotel Hong Kong, Kowloon Shangri-La Hong Kong, Shangri-La Chiang Mai Thailand, Shangri-La Far Eastern Taipei, and Shangri-La Tokyo.

The hotel consortium added that cyber forensic specialists were engaged to investigate the suspicious activities on its network, and found that data sets that were affected on its databases contained combinations of guest-affiliated data including names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names.

While the luxury chain was at pains to assure visitors that there was no evidence of guest personal data being distributed by third parties or misused at the present, Shangri-La was offering affected parties a one-year complimentary identity monitoring service supplied by external business and cybersecurity service provider, Experian.

“We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted,” Shangri-La’s Yu added in his e-mail, going on that the identity monitoring service was optional and that guests could control how much information they decided to share with the third-party.

Yu apologized to affected guests and assured them that steps were being taken to secure their information, writing, “We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident […] We can assure you that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted.”

“Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems and databases,” he concluded. “Once again, we deeply regret any inconvenience or concerns this incident may cause.”

As one of the more sought-after and trusted hotel chains in the Asia Pacific region for business travellers and high-end vacationers alike, one can only hope that the Shangri-La Group takes better precautions than the Marriot International chain, which experienced a second data breach slightly more than a year a prior incident where the personal details of 500 million customers were stolen, leaving the hotel with a hefty fine to pay of US$152 million.