Cyber Incident Victim: Harbour Plaza Hotel Group
Date:
Feb 2022
Location:
Hong Kong
Summary
A cyber attack compromised the Harbour Plaza Hotel Group's booking database, potentially exposing personal data of approximately 1.2 million customers. The breach prompted an investigation by the Privacy Commissioner's office to determine the scope and nature of the compromised information. Affected individuals were advised to remain vigilant against potential scams following the unauthorized access to their details. The hotel group reported the incident to authorities, though specific data types involved remained under assessment at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 9, 2022, Harbour Plaza Hotel Group disclosed a cybersecurity incident impacting its booking database, affecting approximately 1.2 million customers. The Hong Kong-based hotel group reported the breach to the Office of the Privacy Commissioner for Personal Data (PCPD) on February 7, 2022, initiating a formal investigation into the unauthorized access. Privacy Commissioner Ada Chung publicly confirmed the probe on February 9, emphasizing the urgency of determining the specific types of compromised personal data. The breach exposed customer information stored within the hotel's reservation system, though the exact data elements remained unverified at the time of disclosure. Authorities advised affected customers to remain vigilant against potential scams exploiting the leaked information, reflecting concerns about fraudulent use of the stolen data. No ransomware claims or financial demands were referenced in initial reports, focusing attention on the data exposure itself rather than disruptive system encryption.
The incident represented one of Hong Kong's significant hospitality sector breaches, with the PCPD's investigation centering on both the attack methodology and Harbour Plaza's compliance with data protection obligations. Commissioner Chung's office sought detailed documentation from the hotel group regarding the breach timeline, security measures in place at the time of intrusion, and forensic findings about the exfiltrated data categories. Public notifications occurred through media channels rather than direct customer communications in the immediate aftermath, with RTHK broadcasting warnings about the heightened phishing and fraud risks stemming from the breach. The compromised booking system's geographic scope—whether limited to Hong Kong properties or affecting international locations—remained unspecified in available reports. No subsequent disclosures clarified whether payment details, identification documents, or other sensitive records were exfiltrated beyond basic booking information.