Cyber Incident Victim: Shangri-La Hotels and Resorts
Date:
May 2022
Location:
Singapore
Summary
A sophisticated threat actor breached Shangri-La Hotels and Resorts' IT systems, bypassing security monitoring to access guest databases across eight Asian properties over several months. The compromised databases contained encrypted personal information including contact details, passport numbers, and credit card data, though investigators couldn't confirm the exact content of exfiltrated files. While the intrusion coincided with a high-profile security summit hosted at one affected location, summit organizers confirmed attendee data remained secure on separate servers. The hotel group found no evidence of guest data misuse and notified relevant authorities and potentially impacted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late September 2022, Shangri-La Hotels and Resorts disclosed a cybersecurity incident involving unauthorized access to guest databases at eight of its Asian properties. The breach occurred between May and July 2022, with the company detecting anomalous network activities during this period but only confirming the intrusion through subsequent investigations. Affected locations included hotels in Hong Kong, Singapore, Chiang Mai, Taipei, and Tokyo. A sophisticated threat actor bypassed the company’s IT security monitoring systems without triggering alerts, gaining undetected access to databases containing customer information. The intrusion timeline overlapped with the Shangri-La Dialogue security summit held at the Singapore property from June 10-12, 2022, which hosted high-profile attendees including U.S. Defense Secretary Lloyd Austin and Chinese Defense Minister General Wei Fenghe. Shangri-La’s public statement on September 30 indicated investigators confirmed data exfiltration from the compromised databases but could not definitively identify the specific records stolen. The company emphasized that while guest contact information was stored in the breached databases, sensitive personal data such as dates of birth, identity documents, passport numbers, and credit card details remained encrypted. No evidence suggested misuse of stolen data at the time of disclosure.
Shangri-La initiated incident response protocols by engaging forensic experts to determine the breach scope and collaborating with law enforcement agencies across affected jurisdictions. Notifications were issued to regulatory authorities and potentially impacted guests as a precautionary measure. The investigation revealed the attacker targeted guest information databases exclusively, with no compromise of operational systems or reservation platforms. The International Institute for Strategic Studies, organizer of the Shangri-La Dialogue, confirmed summit-related data resided on a separate secure server unaffected by the breach. Company statements reiterated that encrypted data fields remained protected despite the exfiltration attempt but did not specify the encryption standards or whether decryption keys were accessed. The breach duration of approximately three months indicated prolonged unauthorized access prior to detection. Shangri-La did not publicly attribute the attack to any specific threat actor or disclose whether ransomware or extortion demands accompanied the data theft.