CyberInsider

Reliable cybersecurity news and resources

General

Guides

About

Cyber Insider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Shangri-La Hotel Suffered Data Breach Affecting 1 Million Guests

By Leave a Comment

Singapore's Personal Data Protection Commission (PDPC) recently disclosed that a data breach involving Shangri-La Hotel Ltd's property management system which was compromised in 2022, potentially exposed the personal data of over a million guests.

The incident occurred in June 2022, and the first public disclosure came later in the same year. However, more details about the breach, including its scope and magnitude, were made public only yesterday, after the PDPC reviewed the case and accepted a voluntary undertaking from the company to improve its data protection practices.

Incident details and timeline

The breach was reported to the PDPC on July 16, 2022, after Shangri-La Hotel Ltd discovered that a threat actor had accessed and likely exfiltrated personal data on or around June 27, 2022. The compromised information included the following data of 1,076,899 guests:

  • Names
  • Phone numbers
  • Email addresses
  • Physical addresses
  • Countries of residence
  • Membership details

Notably, more sensitive data, such as credit card details and identity documents, were encrypted, and there was no indication that they were accessed by the attackers.

Investigations revealed that the threat actor had been active in the broader Shangri-La Group's network — headquartered in Hong Kong — since as early as November 26, 2019. However, due to the lack of forensic evidence before that date, and the advanced evasion techniques used by the attackers, it was unclear how they initially gained access to the Hong Kong network.

By November 1, 2021, the attackers managed to compromise an account with domain-level administrator credentials, allowing them to navigate through the network. After six months of surveillance and reconnaissance, they moved laterally from the Hong Kong network to a patch management server in Singapore, eventually accessing the property management system where the guests' data was stored.

The hotels assumed to have been impacted by the security breach incident are:

  • Island Shangri-La, Hong Kong
  • Kerry Hotel, Hong Kong
  • Kowloon Shangri-La, Hong Kong
  • Shangri-La Apartments, Singapore
  • Shangri-La Singapore
  • Shangri-La Chiang Mai, Thailand
  • Shangri-La Far Eastern, Taipei
  • Shangri-La Tokyo, Japan

Potential broader impact

The Shangri-La Group is a multinational luxury hospitality company headquartered in Hong Kong, with properties across Asia, the Middle East, North America, and Europe. Its Singapore-incorporated subsidiary, Shangri-La Hotel Ltd, was directly affected by this breach, but it may not be the only entity under the group impacted by the security lapse.

Given the international presence of the hotel brand, the incident raised significant concerns about data security and privacy standards across the company's operations. Consequently, Shangri-La Hotel Ltd also notified other relevant authorities, including Hong Kong's Office of the Privacy Commissioner for Personal Data.

The commission also identified a separate issue where the hotel's property management system retained data for 7,349 guest profiles that should have been purged per data retention policies. Shangri-La Hotel Ltd was already working with the software vendor to address this issue before the breach, and a full data purge was completed after the incident.

Shangri-La's response

Two third-party forensic experts were engaged by Shangri-La Hotel Ltd to investigate the breach. Despite the company's adoption of industry-standard information security measures, the threat actors successfully mimicked legitimate network connections, enabling them to bypass detection. The extended timeframe over which the threat actor operated — potentially over two and a half years — indicated a sophisticated and well-resourced adversary.

After detecting the breach, Shangri-La Hotel Ltd initiated several remedial actions to contain the threat and mitigate the impact, including contracting forensic experts to examine the systems for signs of threat actor activity, notifying all potentially affected individuals, and offering complimentary identity monitoring coverage.

Given the circumstances — including the sophisticated nature of the threat, the breach originating outside of Shangri-La Hotel Ltd's direct control, and the immediate steps taken post-discovery — the PDPC accepted a voluntary undertaking from the hotel to enhance its data protection practices. The undertaking outlined the following remediation steps:

  • Enhanced logging of network and systems.
  • Hardened network and systems to prevent future breaches.
  • Isolated systems from the internet and blocked known malicious IP addresses.
  • Removed and rebuilt compromised systems to ensure integrity.
  • Engaged an independent cybersecurity provider for a security review.
  • Worked with the software vendor to resolve property management system flaws.
  • Revised the group's password policies to enforce complex controls within the Active Directory.

About Alex Lekander

Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *