Hackers gain access to personal data of more than 290,000 hotel guests in Hong Kong
- Breach involved Island Shangri-La, Kowloon Shangri-La and Kerry Hotel
- Office of the Privacy Commissioner for Personal Data hits out at Shangri-La Group for waiting several months to tell customers about the incident
More than 290,000 people are at risk of having their personal information leaked after staying at three hotels in Hong Kong, the city’s privacy watchdog has warned.
A spokesman for the Office of the Privacy Commissioner for Personal Data on Saturday said it received a report on the data breach from the Shangri-La Group on Thursday, but hit out at the company for failing to notify customers months after the incident had occurred.
“The [privacy commissioner] is disappointed to note that Shangri-La only formally notified the [office] and informed its customers of the incident more than two months after it had become aware of the incident,” the spokesman said.
The statutory body would launch a compliance review given the nature of the incident, he added, with the office estimating more than 290,000 people could have been affected by the data breach.
Hong Kong NFT project Monkey Kingdom loses US$1.3 million in hack
In an email seen by the Post, the international hotel chain told members of its Shangri-La Circle scheme that hackers had managed to access customer databases for eight of its hotels in Asia between May and July.
According to the email, the breach included three venues in Hong Kong, which were the Island Shangri-La, Kowloon Shangri-La and the Kerry Hotel.
“The investigation found that professional cyberattackers had bypassed our IT security monitoring system between May and July 2022 and illegally gained access to the guest databases,” the company wrote in the email on Saturday.
“The investigation showed that some of the files had been leaked from these databases. Although we cannot confirm the contents of the leaked data files, they may involve guest data.”
Data collected by the international hotel chain and at risk of being leaked included customers’ names, contact details, account numbers for the membership scheme, booking dates and affiliated companies, it said.
But the Shangri-La Group added that other personal information, such as identification documents, credit card details and dates of birth, was protected by an encrypted system.
The hotel chain offered its customers in Hong Kong a free year of personal data protection and said there was currently no evidence any personal information had been publicised or misused.
But the Office of the Privacy Commissioner for Personal Data warned any data breaches should be reported immediately to give all those affected sufficient time to respond.
The statutory body added it had not received any inquiries from residents regarding the incident as of Saturday.
How Hong Kong retailers can stay abreast of China’s data privacy laws
Francis Fong Po-kiu, an honorary president of the Hong Kong Information Technology Federation, said such data breaches were not rare, despite the regional impact of this particular case.
“These hotel chains have too many outlets, and each hotel may vary in operations and ways of handling such data. The difference may already exist between the reception and the back office,” he said.
Fong advised hotel patrons to use electronic wallets when conducting transactions, saying it could prevent their credit card details from being revealed by hackers.
He also suggested those affected by data breaches should immediately contact their banks if they saw any dubious transactions taking place in their accounts.
A Shangri-La Group spokesman said it had launched an investigation and notified relevant authorities upon discovery of the threat, while guests were alerted as soon as the network became secure again.
“We will continue to work closely with the relevant authorities and provide our full cooperation,” he said.
