Skip to content

Media Statements

Media Statement - Privacy Commissioners Office Commences Compliance Check into a Data Breach Incident of Shangri-La Group

Date: 1 October 2022

Privacy Commissioner’s Office Commences Compliance Check into a Data Breach Incident of Shangri-La Group

The Office of the Privacy Commissioner for Personal Data (PCPD) received a data breach notification from Shangri-La Asia Limited (Shangri-La) in the evening of 29 September, notifying the PCPD that 8 of its hotels suffered cyber attacks, including 3 hotels in Hong Kong (Island Shangri-La, Hong Kong; Kerry Hotel, Hong Kong; Kowloon Shangri-La, Hong Kong). The PCPD noted that the personal data of over 290,000 Hong Kong customers might have been affected. Having considered the nature of the incident and the significant number of data subjects involved, the PCPD has commenced a compliance check into the incident.
The PCPD is disappointed to note that Shangri-La only formally notified the PCPD and informed its customers of the incident more than two months after it had become aware of the incident.
The PCPD calls on organisations to notify the PCPD of any data breach incident as soon as possible. Notification of a data breach incident will enable the PCPD to help the organisation and the affected parties to take appropriate and timely measures to minimise the damage caused by the incident to the organisation and the affected parties. The organisation should also notify the affected parties of the data breach incident as soon as possible.
The PCPD appeals to citizens who have previously stayed in, and provided their personal data to, the Shangri-La hotels in question to be vigilant about potential theft of their personal data. If they are in doubt about whether their personal data have been leaked, they may make enquiries with Shangri-La, or make enquiries/complaints to the PCPD (telephone: 2827 2827 or email: To protect personal data privacy, affected citizens are also advised to take the following measures: -
  • Beware of any unusual logins of any registered accounts and personal emails;
  • Review their payment card statements to spot any unauthorised transactions;
  • Change the passwords of the relevant accounts and enable the two-factor authentication function (if available);
  • Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources; and
  • Be vigilant against phishing or other possible scams.
The PCPD has not received any enquiries from members of the public regarding the incident up to the present.