Skip links

No Shangri-La for you: Top hotel chain confirms data leak

Hotel chain Shangri-La Group has admitted to its systems being attacked, and personal data describing guests accessed by unknown parties, over a timeframe that includes the dates on which a high-level international defence conference was staged at one of its Singapore properties.

“Shangri-La Group recently discovered unauthorized activities on our IT network,” states a notice from the chain that goes on to reveal that “between May and July 2022, a sophisticated threat actor managed to bypass Shangri-La’s IT security monitoring systems undetected, and illegally accessed …. guest databases”.

Data was exfiltrated from the databases, which contained guests’ contact information plus encrypted info on dates of birth, identity documents and passport numbers, plus credit card details. Three properties in Hong Kong were attacked, along with one each in Taiwan, Japan and Thailand.

The Shangri-La Singapore and Shangri-La Apartments Singapore were also hit.

Which is where things get interesting, because from June 10 to 12 this year the Singapore hotel hosted the “Shangri-La Dialogue”, an event that bills itself as Asia’s leading defense conference.

Attendees included the prime minister of Japan, US defense secretary Lloyd J Austin III, plus defense ministers and other senior figures from Indonesia, France, Malaysia, Qatar, China, the UK, Germany, and many other nations.

It’s unclear if any or all of the dignitaries at the event stayed at the hotel and therefore had their details registered in the database that was illegally accessed.

Another attendee was Australian defense minister and deputy prime Minister Richard Marles, which we mention because Australia’s Defence Department today told the Australian Broadcasting Corporation it is “working with the company to understand the impact on Australian Defence attendees at the Shangri-La Dialogue”.

Which suggests that some Australian personnel may have stayed at the hotel and their presence was recorded in the leaked database.

Which is almost certainly of interest to many, as the proceeds of the Shangri-La Dialogue are off the record and details of delegations are not disclosed.

Or perhaps whoever attacked the database just wanted to get the credit card numbers of the kind of people who can afford to stay at a Shangri-La hotel: The Register visited the hotel’s booking page and found the cheapest room for tonight costs $333.80, but suites are also available at an eye-watering $10,541.11. ®