Data Leak at Hong Kong’s Harbor Plaza Hotel Affects 1.2M

Breach Notification, Incident & Breach Response, Security Operations

Hong Kong’s Office of the Privacy Commissioner for Personal Data Is Investigating

Mihir Bagwe •
February 15, 2022

The Hong Kong Harbor Plaza Metropolis was affected among hotels. (Source: Harbor Plaza Group)

The Office of the Privacy Commissioner for Personal Data in Hong Kong has begun an investigation into a data leak incident that was reported to it by Harbor Plaza Hotel Management on Feb. 9. Citing the report from the hotel group, the Office of the PCPD tells Information Security Media Group it appears that approximately 1.2 million customers of the Harbor Plaza hotel chain have been affected.

See Also: Live Webinar | How to Stop the Four Horsemen of the Data Loss Apocalypse

The PCPD tells ISMG that “the affected data was the data of guests who stayed in those hotels.”

“As the investigation into the data breach incident is ongoing, the PCPD is not in a position to disclose any further information at this stage,” the organization tells ISMG, declining to describe the type of cyberattack, the threat actor involved or details about the data compromised.

Harbor Plaza Hotel Management also declined ISMG’s request for comment, citing the ongoing investigation, and referred to the statement that it published after informing the Office of the PCPD of the attack.

The Hotel Group’s Disclosure

The incident has also been reported to the Hong Kong Police and other relevant authorities, according to Harbor Plaza’s statement. It says that the company has on-boarded an unnamed third-party cybersecurity forensics team to investigate and contain the incident and to tighten its security perimeter for the future.

In its FAQs related to the data leak, the company says that those affected will be notified. The hotel group says “accommodation reservation databases” were affected and asks customers to remain “vigilant against phishing or other attempted scams.” It appears that data such as name, email ID, phone numbers, reservation and stay details of the customers visiting the hotel may have been compromised.

The hotel group advises customers to “not open attachments in any email or click on any links if you have concerns regarding any email or SMS messages.” It also warns that attackers might impersonate an employee of the hotel group and call potential victims for any personally identifiable information. “Please note that we will not ask for any personal information and will never ask for any passwords,” the FAQs say.

The hotel group says, “Our reservation system is operating as usual.”

Another Investigation

Separately, the Office of the PCPD is investigating a case regarding HKTVmall, a popular shopping and entertainment platform operated by Hong Kong Technology Venture Co. Ltd.

Ada Chung Lai-ling, the privacy commissioner at the Office of the PCPD, says in a statement: “In relation to the media reports on the abnormal and suspicious activities on the computer system of HKTVmall discovered on Jan. 26, which led to an unauthorized access to a small portion of the customers’ data of HKTVmall, the PCPD is presently following-up the matter with the company, including ascertaining the number of Hong Kong customers affected.”

On Feb. 4, HKTV Co. Ltd. released an announcement saying that unauthorized access to customer information has compromised the personal information of a “small portion” its 4.38 million registered customers. The accessed server was located in some “other Asian” country, according to the announcement.

The company says that it immediately informed the Hong Kong Police and the PCPD and that it brought in two cybersecurity firms on Jan. 27 itself “to conduct investigation and to further enhance HKTVmall’s network and system security measures.”

According to HKTVmall, the customer information that may have been accessed by an unauthorized person can include:

  • Registered account names;
  • Encrypted and masked login passwords;
  • Registered and contact email addresses;
  • Recipient names, delivery addresses and contact phone numbers for orders between December 2014 to September 2018;
  • Date of birth, registered name and email addresses for Facebook account and Apple ID of HKTVmall customers who have linked their account to Facebook account or Apple ID.

The HKTVmall spokesperson declined to provide ISMG with further updates about its investigation but confirmed that at the time, there was no evidence of customer data having been misused.

In the recent past, Hong Kong has been a hot target in the Asian region, especially owing to its sociopolitical tensions. In January, a new cyberespionage malware dubbed DazzleSpy was found targeting macOS and iOS users across the territory. The malware was being planted through the news website of pro-democracy radio station D100, which had been compromised earlier through a watering hole campaign that exploited a Safari browser vulnerability (see: New macOS Malware Planted via Pro-Democracy Hong Kong Radio

Leave a Comment

Your email address will not be published.