Hackers targeted 8 Shangri-La hotels between May and July, guests’ data potentially leaked

SINGAPORE – A database breach has occurred at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei and Tokyo.

In an e-mail informing affected guests on Friday, the group’s senior vice-president for operations and process transformation, Mr Brian Yu, said: “A sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases.”

Its investigation revealed that the breach took place between May and July 2022.

It was around that time that Asia’s top security summit Shangri-La Dialogue returned to Singapore after a two-year pandemic hiatus. The event was held at the eponymous Shangri-La hotel along Orange Grove Road near Orchard Road from June 10 to 12.

In the e-mail sent to affected guests, Mr Yu confirmed that certain data files had been stolen from the breached databases.

“Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data,” he added.

Asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesman said: “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.”

A spokesman at the event organiser, the International Institute for Strategic Studies (IISS), said: “Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected in this incident.”

The Cyber Security Agency of Singapore said it is aware of the incident, and urged organisations to proactively monitor and check their IT networks regularly for signs of suspicious activity.

The following properties are affected:

• Shangri-La Apartments, Singapore

• Shangri-La Singapore

• Island Shangri-La, Hong Kong

• Kerry Hotel, Hong Kong

• Kowloon Shangri-La, Hong Kong

• Shangri-La Chiang Mai

• Shangri-La Far Eastern, Taipei

• Shangri-La Tokyo

The hotel group said it engaged cyber forensic experts to investigate the anomalies following the discovery of unauthorised activities on its network.

It added that the databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates and company names.

The hotel group assured guests that there is currently no evidence that guests’ personal data has been released by third parties or misused.

As a precaution, however, it is offering affected guests a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider, in destinations where local regulation permits.

“We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you,” wrote Mr Yu in the e-mail.

He assured guests that information such as passport numbers, ID numbers, dates of birth and credit card numbers with expiry dates are encrypted.

“Protecting our guests’ information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems and databases. Once again, we deeply regret any inconvenience or concerns this incident may cause,” he added.


For more information on how we can help your company comply with the PDPA easily and cost-effectively, contact us for a FREE consultation.