Notice of a Data Security Incident

Shangri-La Group recently discovered unauthorized activities on our IT network. We immediately engaged cyber forensic experts to investigate and contain the issue. The investigation revealed that between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed the guest databases of the following properties:

Island Shangri-La, Hong Kong
Kerry Hotel, Hong Kong
Kowloon Shangri-La, Hong Kong
Shangri-La Apartments, Singapore
Shangri-La Singapore
Shangri-La Chiang Mai
Shangri-La Far Eastern, Taipei
Shangri-La Tokyo

Certain data files were found to have been exfiltrated from these databases but the investigation has not been able to verify the content of these files. The databases contained guests' contact information but personal information such as dates of birth, identity and passport numbers, and credit card details, was encrypted. There is no indication that any guest data has been misused.

This incident has not impacted our operations and steps have been taken to further strengthen the security measures of our IT networks. We have notified the relevant authorities as well as affected guests.

We deeply regret any inconvenience or concerns this incident may cause.

FAQ

1. When did you first learn of this incident and when did the unauthorised access occur?

We first noticed suspicious activities on our IT networks in July 2022. We immediately engaged forensic experts to investigate and contain the issue.

The investigation revealed that a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed guest databases in a number of our properties in Asia between May and July 2022.

2. How did you become aware of the incident?

Our network security monitoring services identified suspicious activities on our IT networks.

3. Has the incident been fully contained?

We would like to assure you that all necessary steps have been taken to ensure that our IT systems are secure.

4. Did the attackers encrypt any of your servers or systems?

No, our systems have not been affected.

5. Are your operations impacted? Is it safe to book with your properties around the world?

There is no impact on our booking systems or operations, and it is safe to continue booking with our properties globally.

We have deployed additional monitoring technologies throughout our systems and are taking measures to further reinforce system security.

6. How many guest profiles are at risk?

Certain data files were found to have been exported from the databases but the investigation has not been able to verify the content of these files.

We can reassure guests that more sensitive data was encrypted, including passport numbers, identification numbers, and dates of birth, as well as credit card numbers with expiry dates.

From our security monitoring, there is no evidence that any personal information has been misused. Although we believe the risk of harm to guest is low, we encourage guests to be on the lookout for any suspicious activities or notifications across their accounts.

7. Who do you suspect is behind it?

As the investigation is still ongoing, we are unable to provide details.

8. When will you complete the investigation?

We are treating this matter very seriously and have engaged experts to investigate this incident. The investigation is still underway. In the meantime, we have taken all necessary steps to further strengthen the security of our networks.

9. How many properties and guests are affected by the incident, and in which cities?

Our investigation confirmed that networks at the following properties containing guest data were accessed by unauthorised third parties:

Island Shangri-La, Hong Kong
Kerry Hotel, Hong Kong
Kowloon Shangri-La, Hong Kong
Shangri-La Apartments, Singapore
Shangri-La Singapore
Shangri-La Chiang Mai
Shangri-La Far Eastern, Taipei
Shangri-La Tokyo

10. Why were guests not notified of the breach earlier or immediately?

The investigation was carried out with the utmost urgency to determine the nature and extent of the incident and to contain the threat. Guests were notified as soon as we were assured that our system was secure.

11. What information has been leaked?

Our investigations show that certain data files were exported from the databases of the affected hotels. However, we have not been able to verify the content of these files. We have decided to notify guests out of an abundance of caution.

The databases contained some combination of guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names.

We would like to emphasise that more sensitive data was encrypted, including passport numbers, identification numbers, and dates of birth, as well as credit card numbers with expiry dates.

12. Were my Shangri-La Circle points misused or lost?

There is no impact on Shangri-La Circle accounts.

13. Has any data been exposed?

Our security monitoring services are following the situation closely and we have not seen any evidence that any guest data has been misused or disclosed. Also, more sensitive data on the affected servers, such as dates of birth, passport or ID numbers and credit card details, was encrypted.

14. Is sensitive information such as passport data and credit card information at risk?

No. More sensitive data, including passport numbers, dates of birth, and credit card numbers with expiry dates was encrypted and is therefore not at risk.

15. If I have never booked nor stayed at the affected properties, does that mean I am not affected by this incident?

Yes, you are not affected by this incident.

16. I have an upcoming reservation at an unaffected Shangri-La hotel, should I be concerned about my data privacy?

No. This issue affected servers located in a few of our hotels in Asia and has since been contained. There is no impact on bookings and operations.

We have further strengthened our IT networks and databases. It is safe to continue booking with our properties globally.

17. How do I know if I am an affected guest of this incident?

If you have stayed at any of the affected hotels, it is likely that your personal data was in the databases of these hotels.

If you have not stayed in any of the affected hotels, you are not affected by this incident.

18. Why did I not receive any notification?

We have notified guests of affected hotels based on the available contact information.

19. What are you advising your guests to do?

While we are not aware of any guests having suffered any harm, we encourage you to have a heightened awareness across your accounts, including looking out for any suspicious activities or notifications across your accounts.

IDENTITY MONITORING SERVICES

1. What does Experian IdentityWorks^SM monitor and how does it work?

Experian is a third-party identity monitoring service provider that can monitor the web, social networks, and public databases for personal information you have provided.

2. Where does Experian cover?

Experian provides identity monitoring services to residents based in the following destinations:

Australia, Austria, Brazil, Canada, Denmark, Finland, France, Germany, Hong Kong, India, Ireland, Italy, Malaysia, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Singapore, Spain, South Africa, Sweden, Switzerland, Turkey, United Kingdom, United States, Puerto Rico, Guam and US Virgin Islands.

3. Why should I use this service if sensitive information was encrypted? I don’t want to share personal or sensitive information.

This is an added precaution and optional service. How much information you provide is completely at your discretion.

4. How long is the service valid for?

The service is valid from 30 September 2022 for one year, while registration should be completed by 31 December 2022 using the unique code in our email notification.

5. What should I do if I receive an alert?

If you receive an alert, it means Experian has found a match to personal information you provided, in an at-risk location. It does not mean that fraud has occurred. We encourage you to be on the lookout for any suspicious activities or notifications across your accounts.

30 September, 2022

Notice of a Data Security Incident

FAQ

1. When did you first learn of this incident and when did the unauthorised access occur?

2. How did you become aware of the incident?

3. Has the incident been fully contained?

4. Did the attackers encrypt any of your servers or systems?

5. Are your operations impacted? Is it safe to book with your properties around the world?

6. How many guest profiles are at risk?

7. Who do you suspect is behind it?

8. When will you complete the investigation?

9. How many properties and guests are affected by the incident, and in which cities?

10. Why were guests not notified of the breach earlier or immediately?

11. What information has been leaked?

12. Were my Shangri-La Circle points misused or lost?

13. Has any data been exposed?

14. Is sensitive information such as passport data and credit card information at risk?

15. If I have never booked nor stayed at the affected properties, does that mean I am not affected by this incident?

16. I have an upcoming reservation at an unaffected Shangri-La hotel, should I be concerned about my data privacy?

17. How do I know if I am an affected guest of this incident?

18. Why did I not receive any notification?

19. What are you advising your guests to do?

IDENTITY MONITORING SERVICES

1. What does Experian IdentityWorks^SM monitor and how does it work?

2. Where does Experian cover?

3. Why should I use this service if sensitive information was encrypted? I don’t want to share personal or sensitive information.

4. How long is the service valid for?

5. What should I do if I receive an alert?

6. Do I need to pay for the identity monitoring service?

7. I have sent an email to Experian related to the technical issue but I still have not received their response.

8. The activation code given can't be activated.

9. What should I do if I've lost the activation code and could not find the notification received?

30 September, 2022

Notice of a Data Security Incident

FAQ

1. When did you first learn of this incident and when did the unauthorised access occur?

2. How did you become aware of the incident?

3. Has the incident been fully contained?

4. Did the attackers encrypt any of your servers or systems?

5. Are your operations impacted? Is it safe to book with your properties around the world?

6. How many guest profiles are at risk?

7. Who do you suspect is behind it?

8. When will you complete the investigation?

9. How many properties and guests are affected by the incident, and in which cities?

10. Why were guests not notified of the breach earlier or immediately?

11. What information has been leaked?

12. Were my Shangri-La Circle points misused or lost?

13. Has any data been exposed?

14. Is sensitive information such as passport data and credit card information at risk?

15. If I have never booked nor stayed at the affected properties, does that mean I am not affected by this incident?

16. I have an upcoming reservation at an unaffected Shangri-La hotel, should I be concerned about my data privacy?

17. How do I know if I am an affected guest of this incident?

18. Why did I not receive any notification?

19. What are you advising your guests to do?

IDENTITY MONITORING SERVICES

1. What does Experian IdentityWorksSM monitor and how does it work?

2. Where does Experian cover?

3. Why should I use this service if sensitive information was encrypted? I don’t want to share personal or sensitive information.

4. How long is the service valid for?

5. What should I do if I receive an alert?

6. Do I need to pay for the identity monitoring service?

7. I have sent an email to Experian related to the technical issue but I still have not received their response.

8. The activation code given can't be activated.

9. What should I do if I've lost the activation code and could not find the notification received?

1. What does Experian IdentityWorks^SM monitor and how does it work?