First, it was Marriott International that fell prey to a social engineering ploy. Then came IHG, whose booking channels and other apps were disrupted. Now, Shangri-La Group reported that customer data was stolen across eight of their hotels in Asia.

All three took place this year, within a span of three months.

As enterprises increasingly go digital, the risk of cyberattacks also multiplies. This is why cybersecurity continues to be a top priority for organisations regardless of size, because a start-up can be just as vulnerable to hacking as a multinational.

However, with the recent spate of attacks targeting hotels, how can the public be reassured going forward that their personal data won’t someday be floating around in the dark web? More importantly, how can hotels step up their security posture amid the growing sophistication of threat actors?

Unauthorised access

On September 30, 2022, Shangri-La Group, through a statement on its website and an email to affected customers, said it has discovered unauthorised activities on its IT network. After engaging cyber forensic experts to investigate, they found out that “a sophisticated threat actor” bypassed Shangri-La’s IT security monitoring systems between May and July 2022, and illegally accessed the guest databases of eight Shangri-La hotels.

The affected hotels were:

• Island Shangri-La, Hong Kong
• Kerry Hotel, Hong Kong
• Kowloon Shangri-La, Hong Kong
• Shangri-La Apartments, Singapore
• Shangri-La Singapore
• Shangri-La Chiang Mai
• Shangri-La Far Eastern, Taipei
• Shangri-La Tokyo

“Certain data files were found to have been exfiltrated from these databases but the investigation has not been able to verify the content of these files. The databases contained guests’ contact information but personal information such as dates of birth, identity and passport numbers, and credit card details, was encrypted. There is no indication that any guest data has been misused,” the statement read.

The company said operations have not been impacted by the breach, and that necessary steps were taken to strengthen the security of their IT networks.

Further, Shangri-La offered affected guests a one-year complimentary use of an identity monitoring service, as an added precaution.

When did Shangri-La know?

While details surrounding the Shangri-La hack are still minimal, one of the key concerns regarding the breach is the period during which the company learned about the incident.

According to Tin T. Nguyen, CEO and Co-Founder of Polaris Infosec, the time of discovery plays a crucial part in the investigation, and would make a huge impact on Shangri-La’s reputation going forward.

“Generally speaking, if they just discovered the breach and immediately notified their customers and partners, I’d say they’re doing the right thing. People may not be happy about it, but at least they can respect the fact that Shangri-La Group owned their mistake and are transparent about what they’re doing to mitigate it,” Nguyen said.

Considering the circumstances, Benjamin Harris, Founder and CEO of watchTowr believed Shangri-La handled the crisis well.

“From a security reputational standpoint, the Shangri-La Group responded relatively quickly if we look at the industry average for attacks of this nature — aggressive, and sophisticated, with likely nation-state backing. According to a recent report by IBM, the average breach lifecycle is 287 days — with organisations taking 212 days alone on average to identify a breach,” he explained.

The question remains: When did Shangri-La know about the data breach? A statement from Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) seemed to have some of the missing pieces of the puzzle.

The PCPD revealed that Shangri-La notified them about the incident on the evening of September 29, just hours before the latter made a public statement.

“The PCPD noted that the personal data of over 290,000 Hong Kong customers might have been affected. Having considered the nature of the incident and the significant number of data subjects involved, the PCPD has commenced a compliance check into the incident,” the statement read.

The PCPD also expressed its disappointment with the delayed notification from Shangri-La, which was “more than two months after it had become aware of the incident,” and enjoined organisations to notify the regulator of any data breach as soon as possible.

“If they knew about the breach as soon as it happened, but still chose to wait a few months until informing the public, that could negatively impact their reputation. However, I would wait on casting judgement until more information is released. Most of the time, the decision to wait on informing the public is based on an organisation trying to form a more complete picture of what happened, or first trying to resolve incidents internally/privately in order to avoid negative attention,” Nguyen said.

The Shangri-La Dialogue

With the Shangri-La data breach taking place between May and July 2022, some specialists believe that the hackers specifically targeted the 19th Shangri-La Dialogue, a high-level security summit attended by defence officials from 42 countries. The three-day event took place from June 10 to 12, at Shangri-La Singapore.

“Historically, we’ve seen hotels targeted for credit card data, or PII (personally identifiable information) of guests. However, in this particular incident, Shangri-La was likely targeted as a result of its hosting of the Shangri-La Dialogue in June this year— tempting the interest of a particular type of adversary, those aligned with various geopolitical interests,” said watchTowr’s Benjamin Harris.

“From an activity perspective, after the breach, we are unlikely to see much publicly. This is fairly typical though of a breach of this type — there won’t be data dumps, data releases, or anyone trying to sell the data, because this breach was likely an intelligence-gathering exercise,” he observed.

Are travellers’ data safe?

Whether or not the Shangri-La data breach was a state-sponsored attack aimed at gathering defence intel, it does not discount the fact that the personal data of ordinary travellers were put at risk, same with the IHG and Marriott cases. Questions therefore abound, not only pertaining to Shangri-La’s reputation after the incident, but to the impact to the hospitality industry in general.

Andhika Wirawan, Head of Strategic Business Development— APAC for ESET, thinks that the Shangri-La Group could have managed the situation better.

“A data breach incident is a terrible thing to happen, but it is made worse if an organisation responds poorly to it. It shows a lack of preparedness in handling an attack, and thus poses a question on their state of cybersecurity maturity. While investigations can still take place, through reporting the incident at the earliest based on the guidelines provided by the PCPD, organisations must help their customers to protect themselves, especially if their customers include high-profile personnel from various nation-states,” he said.

Joanne Wong, Vice President, International Markets at LogRhythm, shared the same sentiments.

“Shangri-La Group definitely could have done better in being transparent with their reporting of the data breach, especially given the magnitude and sensitivity of the breach. Understandably, there could be reasons for the delay, including allowing time for complete investigations, and ensuring that the threat actor is completely removed from the system. Regardless, organisations should prioritise transparency with customers and partners in how they are responding to any breach or hacks,” she said.

Since international travel is back in full swing, the hospitality industry should treat the Shangri-La incident as a wake-up call for more vigilance in terms of security, noted David Hope, Senior Vice President, Asia Pacific & Japan at ForgeRock.

“Being an industry with high-volume transactions, the hospitality industry is an attractive target for scammers and hackers to take advantage of. Many of these transactions take place almost entirely online, making it even more important for senior members in the industry to place cybersecurity at the core of the business,” Hope said.

He added that unauthorised access attacks account for 50% of all data breaches, and can cost companies as much as US$9.5 million to remediate per incident.

“These types of breaches are preventable as long as companies implement the right technologies, policies, and procedures, and educate their employees on how to be extra vigilant in the digital world,” Hope remarked.

Meanwhile, the hospitality industry will always be a prime target for cyber thieves, because of the rich value of data it holds, observed Andy Norton, European Cyber Risk Officer, Armis.

“An attack such as this puts individuals at risk of being targeted by fraudsters looking to use any learned information to extort. Even if hotel groups appear to have very firm incident response plans in place, they should be careful to understand how an attack on one IT system can leach into other operational areas, and how this could affect them,” he said.

“As a result of such data breaches, customers will be less inclined to share their personal information with hotels and resorts. This also meant that the importance of cybersecurity in the hospitality sector has risen,” Norton continued.

“Hotel chains and hospitality-related businesses have been targets of data breaches for many years — and their heavy reliance on credit card payments is one of the main reasons. The hospitality industry processes countless credit card payments every day, and this incident serves as a good reminder to all organisations to shore up their cybersecurity capabilities — especially ones that process large amounts of payment transactions or hold sensitive customer data in their systems,” LogRhythm’s Wong added.

Cybersecurity best practices

Cybercriminals, no doubt, are hatching new ways to penetrate enterprises’ security perimeter on a daily basis. Hence, organisations have to be miles and miles ahead of malicious actors, in order to prevent difficult losses.

Judging from what has been disclosed by Shangri-La so far, various experts agreed that visibility is a key component of a strong cybersecurity posture.

“Without this visibility, organisations struggle to discover the weaknesses attackers are likely to use when they try to breach the organisation. “By leveraging data to understand how the latest attacker tactics and techniques apply to them, organisations stay continuously informed, and this enables actionable defence, (thereby) removing the challenge that they face of keeping up with ever-evolving and emerging threats,” watchTowr’s Benjamin Harris explained.

As for Chris Thomas, Senior Security Advisor, APJ, at ExtraHop, the answer lies in breaking down silos to enable an integrated security approach.

“Through the integration of disparate data sources with the ability to process the massive amount of data available, visibility gaps are closed and effective investigation is enabled. This is especially true for monitoring not just the internet-facing perimeter devices, but internal systems like databases that hold the valuable data that attackers are after,” he said.

Moreover, the adoption of a zero-trust architecture will help prevent a lot of threat actors from penetrating a company’s network, according to Ian Hall, Head of Client Services, APAC at Synopsys.

“The main concept of zero trust is ‘Never trust, always verify,’ meaning that a device should never be trusted by default, even if it has previously been verified. With this in mind, organisations can implement security measures such as multi-factor authentication, web application firewalls, as well as securing its software supply chain,” he said.

Sandeep Bhargava, Managing Director, Asia Pacific and Japan, Rackspace Technology, echoed the sentiments about zero trust.

“Being on the front foot means adopting a zero-trust mindset where every access request is digitally verified, even if users and devices are already inside the network. This means implementing control over applications so that employees can only access the tools and data they need. Organisations might think that these security processes may seem burdensome, but it’s important to remember that all good work can be undone in a matter of seconds with poor management of the processes that govern security policies,” Bhargava said.

“With a growing hybrid workforce and continued adoption of the cloud, adopting a zero-trust approach is critical to preventing data breaches and ransomware attacks,” he added.

Ultimately, cybersecurity is more than just a matter of technology, noted Polaris Infosec’s Tin T. Nguyen.

“(Cybersecurity) is a people problem, not a technical problem as most people believe. To prepare for incidents, it starts with training and building awareness within your team. Learning how to operate your tech — everything from secure software development to how you use your email and unified communications systems on a daily basis, starts with proper training to ensure you’re smart about your actions, habits, and practices,” Nguyen said.

“Combined with that is having simple IT security policies like password requirements to ensure everyone knows about proper cyber hygiene and subsequent enforcement. Once that’s in place, you can move on to other steps like finding cyber solutions that are the right fit for your organisation,” he concluded.