Shangri-La's hotels face cyber attacks affecting 290,000 consumers

Three hotels in Hong Kong under Shangri-La(Asia) have suffered cyber-attacks, affecting the personal data of over 290,000 customers.

According to the Office of the Privacy Commissioner for Personal Data (PCPD), the PCPD received a data breach notification from Shangri-La (Asia) in the evening of 29 September, notifying the PCPD that eight of its hotels suffered cyber-attacks, including three hotels in Hong Kong namely Island Shangri-La, Hong Kong; Kerry Hotel, Hong Kong and Kowloon Shangri-La, Hong Kong.

This comes as Shangri-La announced to its members on 30 September that it found that there were professional cyber attackers who bypassed its information technology security monitoring system and illegally entered the guest data of its eight hotels from May to July this year. The hotel group also said that some files were leaked, which may include personal information such as names, phone numbers and mailing address while it assured that passports, ID numbers and credit card numbers are encrypted and protected.

The PCPD noted that the personal data of over 290,000 Hong Kong customers might have been affected. Having considered the nature of the incident and the significant number of data subjects involved, the PCPD has commenced a compliance check into the incident. However, it has not received any enquiries from members of the public regarding the incident up to the present.

The PCPD is disappointed to note that Shangri-La only formally notified the PCPD and informed its customers of the incident more than two months after it had become aware of the incident, according to the release. The PCPD calls on organisations to notify the PCPD of any data breach incident as soon as possible.

The privacy watchdog said the notification of a data breach incident will enable the PCPD to help the organisation and the affected parties to take appropriate and timely measures to minimise the damage caused by the incident to the organisation and the affected parties. The organisation should also notify the affected parties of the data breach incident as soon as possible.

The PCPD appeals to citizens who have previously stayed in, and provided their personal data to, the Shangri-La hotels in question to be vigilant about potential theft of their personal data. To protect personal data privacy, affected citizens are also advised to beware of any unusual logins of any registered accounts and personal emails; review their payment card statements to spot any unauthorised transactions; change the passwords of the relevant accounts and enable the two-factor authentication function; stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources.

Related articles:

Shangri-La Group rebrands loyalty programme
Shangri-La Group looks for comms director in for Beijing market