[BreachExchange] Cyberattack on Harbour Plaza hotels in Hong Kong exposes personal data of more than 1.2 million guests

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Feb 11 10:19:05 EST 2022


https://www.msn.com/en-xl/news/other/cyberattack-on-harbour-plaza-hotels-in-hong-kong-exposes-personal-data-of-more-than-12-million-guests/ar-AATJq9h

Office of the Privacy Commissioner for Personal Data launches investigation
into illegal access of several databases for room reservations
Attack comes after online retailer HKTVmall suffered database leak that
exposed delivery addresses, recipient names and contact numbers
Hong Kong's privacy watchdog is investigating a cyberattack against the
Harbour Plaza hotel group that exposed the booking details of more than 1.2
million guests.

The Office of the Privacy Commissioner for Personal Data said on Friday
that it had received reports from Harbour Plaza Hotel Management Limited
two days ago about a cybersecurity incident involving several databases for
room reservations.

Given the large number of people affected, the office said it had launched
an investigation and had approached the company for more information,
including what type of personal data was leaked.

The group manages 11 hotels in the city, including Harbour Grand Hong Kong
and Harbour Grand Kowloon, with more than 8,500 guests rooms and serviced
suites in total, according to its website.

Commissioner Ada Chung Lai-ling urged anyone who had stayed at the hotels
to remain vigilant over misuse of their personal information and alert the
agency if they noticed anything suspicious.

The company said that immediately after the attack it engaged a team of
third-party forensic experts to investigate and contain the incident, as
well as further secure the system. But it did not disclose the number of
guests affected by the leak.

"Our investigation is ongoing and the case has been reported to the Hong
Kong police and other relevant authorities," the group said. "We will be in
touch with our guests directly if they have been affected by this incident
and provide further information regarding the incident."

Guests were reminded to be vigilant against phishing or other attempted
scams and be alert for any suspicious activity.

One of Hong Kong's largest online shopping platforms, Hong Kong Technology
Venture Company Limited, HKTVmall's parent company, last week revealed it
suffered a security breach in January that resulted in the unauthorised
access of customer information, such as delivery addresses, recipient names
and contact numbers.

The company said it had detected "abnormal and suspicious activities" on
its computer systems on January 26, with unauthorised access to customer
information on its delivery platform recorded on its servers located
elsewhere in the region.

"A small portion" of the information for its 4.38 million registered
customers was accessed, it said.

Based on its investigation, the company concluded that the affected data
might include names of account holders, encrypted and masked login
passwords, email addresses, recipients' names, delivery addresses and
contact numbers for orders placed between December 2014 and September 2018.

Dates of birth, recipients' names and email addresses for HKTVmall accounts
linked to Facebook accounts and Apple ID might also have been accessed.

Vice-chairman and group CEO Ricky Wong Wai-kay apologised on behalf of the
company.

The privacy watchdog said on Friday that it had been following up that
breach and was trying to understand the number of people affected.

The office received 3,157 complaints and 18,253 inquiries in 2020-2021.
Investigators carried out 356 compliance checks and 50 investigations over
the period of time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220211/faebb12d/attachment.html>


More information about the BreachExchange mailing list