Shangri-La hotel data breach likely had 'minimal' impact at Singapore ministerial summit

Singapore says most of the foreign government delegates who attended this year's Shangri-La Dialogue defence summit did not provide their personal details, while the hotel group unveils it has received an email from hackers claiming responsibility for the attack.
Written by Eileen Yu, Senior Contributing Editor

A recent data breach that hit eight Shangri-La hotels is unlikely to have a large impact on foreign government delegates who attended a high-level defence summit in Singapore, which was held at the hotel. Hackers claiming to have instigated the attack apparently have made contact with the hotel chain. 

Shangi-La Group said Friday it received an email from senders who claimed responsibility for the data security breach that it announced on September 30. As a precaution, the hotel group said it informed the relevant law enforcement and regulators about the email. 

It added that more details would be provided when it had more to share. 

The data breach had affected eight of its hotels, including in Singapore, Taipei, Tokyo, Hong Kong, and Chiang Mai. 

In an email the hotel chain sent to affected guests, Shangri-La Group's senior vice president of operations and process transformation Brian Yu said a "sophisticated threat actor" had bypassed the company's cybersecurity monitoring systems undetected and "illegally accessed the guest databases". 

Its investigation determined that the breach had occured between May and July this year, Yu said. 

The affected databases had contained personal information such as names, phone numbers, and email addresses as well as membership numbers and reservation dates. 

According to Yu, data such as passport numbers, identification numbers, dates of birth, and credit card numbers were encrypted. 

ZDNET emailed Shangri-La with questions on how the breach occurred, why it was undetected for four months, and what the hackers had asked for it their email. This article will be updated when the hotel responds. 

In a statement following the incident, Hong Kong's Office of the Privacy Commissioner for Personal Data (PCPD) said it was notified about the breach in the evening of September 29. It said personal data of more than 290,000 customers in Hong Kong might have have been compromised in the breach, which affected three local hotels including Kowloon Shangri-La.

Expressing disappointment that customers as well as PCPD were only informed more than two months after Shangri-La was aware of the incident, the Hong Kong privacy commissioner said it had commenced a compliance check on the breach.

Singapore on Monday said it also was working with the hotel group to improve safeguards. 

Defence ministers from around the globe, including the US, Japan, and Australia, had gathered at a defence summit held at Shangri-La Singapore in June, during which the hotel's database already had been infiltrated and the breach undetected. 

The impact on guests, though, was likely to be "minimal", said Singapore's Ministry of Communications and Information (MCI) in a written parliamentary response

"The majority of the Shangri-La hotel guests who attended the 19th Shangri-La Dialogue, especially dignitaries, registered in groups through their embassies without submitting their personal details," MCI said, adding that some hotel guests who provided their personal particulars had been contacted by the hotel group about the breach. 

While the impact on the summit was "likely to be minimal", MCI said Singapore's Defence Ministry was taking further steps with the summit organiser as well as Shangri-La to "enhance safeguards".  


Editorial standards