A DATABASE breach has occurred at luxury hotel chain Shangri-La Group, potentially exposing the personal information of guests who had stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei and Tokyo.

In an email informing affected guests on Friday, the group’s senior vice-president for operations and process transformation, Brian Yu, said: “A sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected and illegally accessed the guest databases.”

Its investigation revealed that the breach took place between May and July 2022.

It was around that time that Asia’s top security summit Shangri-La Dialogue returned to Singapore after a two-year pandemic hiatus.

The event was held at the eponymous Shangri-La hotel along Orange Grove Road near Orchard Road from June 10 to 12.

Yu confirmed that certain data files had been stolen from the breached databases.

“Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data,” he added.

Asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesperson said: “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.”

The affected hotels are the Island Shangri-La, Kerry Hotel and Kowloon Shangri-La in Hong Kong, Singapore’s Shangri-La Apartments and Shangri-La Singapore, Shangri-La Chiang Mai, Shangri-La Far Eastern in Taipei and Shangri-La Tokyo.

The Cyber Security Agency of Singapore said it is aware of the incident, and urged organisations to proactively monitor and check their IT networks regularly for signs of suspicious activity.

The hotel group assured guests that there is currently no evidence that guests’ personal data has been released by third parties or misused.

“We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident,” wrote Yu in the email.

 - ANN