Data breach at Shangri-La hotels potentially affected guests of Asia's top security summit

A database breach has occurred at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei and Tokyo.

In an e-mail informing affected guests, the group's senior vice-president for operations and process transformation, Brian Yu, said: "A sophisticated threat actor managed to bypass Shangri-La's IT security monitoring systems undetected, and illegally accessed the guest databases."

Its investigation revealed that the breach took place between May and July 2022.

It was during this time that Asia's top security summit, the Shangri-La Dialogue, returned to Singapore after a two-year absence caused by the Covid-19 pandemic.

The event was held at the Shangri-La hotel in the Orchard area from June 10-12.

In the e-mail, Mr Yu confirmed that certain data files had been exfiltrated from the breached databases.

" Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.

The following properties are affected:

• Shangri-La Apartments, Singapore

• Shangri-La Singapore

• Island Shangri-La, Hong Kong

• Kerry Hotel, Hong Kong

• Kowloon Shangri-La, Hong Kong

• Shangri-La Chiang Mai

• Shangri-La Far Eastern, Taipei

• Shangri-La Tokyo

The hotel group said it engaged cyber forensic experts to investigate the anomalies following the discovery of unauthorised activities on its network.

It added that the databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names.

The hotel group assured guests that there is currently no evidence that guests' personal data has been released by third parties or misused.

As a precaution, however, it is offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider, where local regulations permit it.

"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr Yu.

He assured guests that information such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted.

"Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases," he added.