Data from eight Shangri-La hotels have been breached in a cyber security incident that happened while defence officials from various countries were staying in one of the brand’s hotels for a conference.
In a statement dated 30 September, Shangri-La said a “sophisticated threat actor” accessed its guest databases for hotels in Hong Kong, Singapore, Thailand, Taiwan, and Japan.
“Certain data files were found to have been exfiltrated from these databases but the investigation has not been able to verify the content of these files,” Shangri-La said.
“The databases contained guests' contact information but personal information such as dates of birth, identity and passport numbers, and credit card details, was encrypted. There is no indication that any guest data has been misused.”
The actual incident took place “between May and July 2022”, according to Shangri-La – during which time one of its Singaporean hotel was hosting the International Institute for Strategic Studies (IISS) Shangri-La Dialogue – a defence summit featuring regional defence officials.
Defence Minister Richard Marles represented Australia at the summit, held shortly after the election, where he met with Chinese General Wei Fenghe in what was the first time since early 2020 that high ranking officials from the two countries had met one-on-one.
In a statement to the ABC, the Department of Defence said had been in contact with Shangri-La and would “work with any impacted personnel to minimise potential risks that could arise from this breach”.
Shangri-La said it uncovered the attack in July after finding “suspicious activity” on its networks.
Hong Kong’s Privacy Commissioner’s Officer said it was “disappointed” to learn of the Shangri-La incident two full months after finding intruders on its systems.
The Commissioner said more than 290,000 of the hotel chain’s Hong Kong customers may have been caught up in the breach.
Shangri-La insists ID information on its customer databases were encrypted and that the risk for its affected customers is “low” but warned for people to remain vigilant.
Data breaches are at the forefront of the Australian public’s mind following the Optus breach in which 9.8 million Australians had their personal information exposed.
Optus, like Shangri-La also said its database was encrypted but sample data from a person claiming to be the bad actor in that incident showed driver’s licence, passport, and Medicare numbers accessible in an unencrypted format.
The Guardian reported a ransomware attack on security services provider G4S earlier this year had resulted in leaked employee data, including tax file numbers and bank account details.
And cyber security researcher Jamieson O’Reilly claims to have found a leaky API that had been cached by Google’s crawler and was showing results of driver’s licences in Image searches.