Shangri-La on Friday informed select guests that their information may have been exposed to an unauthorized third party on a “data security incident.”
This third party had vacuumed files and information from their internal network in May, June, and July 2022.
You can access Shangri-La’s page for the IT hack here.
Affected hotels per Shangri-La:
- Island Shangri-La, Hong Kong
- Kerry Hotel, Hong Kong
- Kowloon Shangri-La, Hong Kong
- Shangri-La Apartments, Singapore
- Shangri-La Singapore
- Shangri-La Chiang Mai
- Shangri-La Far Eastern, Taipei
- Shangri-La Tokyo
Email from Shangri-La:
The email, the frequently asked questions on Shangri-La’s website, and the fact that the Hong Kong hotelier has not released any press releases about this “incident” leave many questions unanswered.
They claim to know what data has been exported but cannot identify the contents of those files.
Some information on the databases is encrypted while others are not.
I have NOT stayed at any of the properties mentioned above, yet Shangri-La believes that my information has been leaked; how and where?
Frequently Asked Questions by Shangri-La:
1. When did you first learn of this incident and when did the unauthorised access occur?
We first noticed suspicious activities on our IT networks in July 2022. We immediately engaged forensic experts to investigate and contain the issue.
The investigation revealed that a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed guest databases in a number of our properties in Asia between May and July 2022.
2. How did you become aware of the incident?
Our network security monitoring services identified suspicious activities on our IT networks.
3. Has the incident been fully contained?
We would like to assure you that all necessary steps have been taken to ensure that our IT systems are secure.
4. Did the attackers encrypt any of your servers or systems?
No, our systems have not been affected.
5. Are your operations impacted? Is it safe to book with your properties around the world?
There is no impact on our booking systems or operations, and it is safe to continue booking with our properties globally.
We have deployed additional monitoring technologies throughout our systems and are taking measures to further reinforce system security.
6. How many guest profiles are at risk?
Certain data files were found to have been exported from the databases but the investigation has not been able to verify the content of these files.
We can reassure guests that more sensitive data was encrypted, including passport numbers, identification numbers, and dates of birth, as well as credit card numbers with expiry dates.
From our security monitoring, there is no evidence that any personal information has been misused. Although we believe the risk of harm to guest is low, we encourage guests to be on the lookout for any suspicious activities or notifications across their accounts.
7. Who do you suspect is behind it?
As the investigation is still ongoing, we are unable to provide details.
8. When will you complete the investigation?
We are treating this matter very seriously and have engaged experts to investigate this incident. The investigation is still underway. In the meantime, we have taken all necessary steps to further strengthen the security of our networks.
9. How many properties and guests are affected by the incident, and in which cities?
Our investigation confirmed that networks at the following properties containing guest data were accessed by unauthorised third parties:
Island Shangri-La, Hong Kong
Kerry Hotel, Hong Kong
Kowloon Shangri-La, Hong Kong
Shangri-La Apartments, Singapore
Shangri-La Chiang Mai
Shangri-La Far Eastern, Taipei
10. Why were guests not notified of the breach earlier or immediately?
The investigation was carried out with the utmost urgency to determine the nature and extent of the incident and to contain the threat. Guests were notified as soon as we were assured that our system was secure.
11. What information has been leaked?
Our investigations show that certain data files were exported from the databases of the affected hotels. However, we have not been able to verify the content of these files. We have decided to notify guests out of an abundance of caution.
The databases contained some combination of guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names.
We would like to emphasise that more sensitive data was encrypted, including passport numbers, identification numbers, and dates of birth, as well as credit card numbers with expiry dates.
12. Were my Shangri-La Circle points misused or lost?
There is no impact on Shangri-La Circle accounts.
13. Has any data been exposed?
Our security monitoring services are following the situation closely and we have not seen any evidence that any guest data has been misused or disclosed. Also, more sensitive data on the affected servers, such as dates of birth, passport or ID numbers and credit card details, was encrypted.
14. Is sensitive information such as passport data and credit card information at risk?
No. More sensitive data, including passport numbers, dates of birth, and credit card numbers with expiry dates was encrypted and is therefore not at risk.
15. If I have never booked nor stayed at the affected properties, does that mean I am not affected by this incident?
Yes, you are not affected by this incident.
16. I have an upcoming reservation at an unaffected Shangri-La hotel, should I be concerned about my data privacy?
No. This issue affected servers located in a few of our hotels in Asia and has since been contained. There is no impact on bookings and operations.
We have further strengthened our IT networks and databases. It is safe to continue booking with our properties globally.
17. How do I know if I am an affected guest of this incident?
If you have stayed at any of the affected hotels, it is likely that your personal data was in the databases of these hotels.
If you have not stayed in any of the affected hotels, you are not affected by this incident.
18. Why did I not receive any notification?
We have notified guests of affected hotels based on the available contact information.
19. What are you advising your guests to do?
While we are not aware of any guests having suffered any harm, we encourage you to have a heightened awareness across your accounts, including looking out for any suspicious activities or notifications across your accounts.