Dear Valued Customer,
Harbour Plaza Hotel Management Limited and its hotels (HPHM) value the relationships we have with our guests and consider the protection of our customers’ personal information a very important part of our service promise. HPHM recently suffered a data security incident that may involve some of your personal information. This notice explains what happened, the measures we have taken, and the steps you may consider taking to help protect your information.
What happened?
On 29 December 2021, we detected a cybersecurity incident that impacted some of our systems. In accordance with our information security protocols, we promptly took our systems offline, launched an investigation, and a leading cybersecurity firm was engaged to assist.
Since then, we have been actively investigating to determine the scope of the incident. Our investigation determined that an unauthorised party gained access to, and obtained data from, some of our hotels’ accommodation reservation databases.
What information was involved?
We conducted a review of the data to identify individuals whose personal information was involved. Our investigation has determined that some of our guests’ information was involved and, for affected guests, the information may have included: name, date of birth, address, mobile phone number, email address, Hong Kong Identity Card Number, passport or identity number and, in a small number of cases, payment card number and expiry date.
What are we doing?
We take the privacy and security of your data extremely seriously. We are working with forensic specialists to thoroughly investigate the matter and have formally notified the Hong Kong data protection authority, other relevant authorities[1] and the police.
In addition, our IT team has been working diligently to implement additional measures to further enhance the security of our IT infrastructure to help ensure that the information we hold is protected.
As an added precaution, to help protect your personal information, we are offering a complimentary 12 month membership of Experian IdentityWorksSM in countries where it is available.[2] The service monitors the web, social networks and public databases, looking for your details to detect theft, loss or disclosure of your personal and financial information. If your information is found, you will be alerted and given help and advice on what to do next to protect yourself from fraud.
What can you do?
We encourage you to follow these standard security recommendations:
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
- Avoid clicking on links or downloading attachments from suspicious emails and
- Remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorised activity.
All payment card and expiry date data was stored in encrypted form in our system and it has not been confirmed whether the data was able to be decrypted in the course of the incident. We are highlighting this to you in an abundance of caution. It is always advisable to closely review your payment card statements for any unauthorised charges. You should immediately report any unauthorised charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorised charges reported in a timely manner. The phone number to call is usually on the back of your payment card.
Affected guests located in countries where Experian IdentityWorksSM is available may contact us before 20 April 2022[3] to obtain their complimentary 12 month membership.
For more information
We sincerely regret that this incident occurred. If you have any questions about the incident, you can obtain further information via:
Our information site located at https://info.harbour-plaza.com.
You may also contact us via email if preferred at privacy@harbour-plaza.com[4]. A member of our privacy team will respond as soon as possible.
Kind regards,
Harbour Plaza Hotel Management Limited
------------------------------------------
1) This includes the Office of the Privacy Commissioner in New Zealand.
2) Hong Kong, Australia, New Zealand and Turkey
3) The membership must be activated by 20 April 2022.
4) If you are in New Zealand, you also have the right to make a complaint to the Office of the Privacy Commissioner in New Zealand.