We sincerely apologize for the great inconvenience and concern caused our to our guests due to an incident in which the accommodations reservation information management system (hereinafter, management system) provided by Booking.com and used at our company, was accessed illegally, and a message was sent to some guests directing them to a phishing site.
Regarding the “[Important Notice] Notice regarding the delivery of messages leading to personal data phishing sites” published on September 21, 2023, we would like to report the facts that have been discovered through subsequent investigations, as follows.
Notice dated 9/21
https://mimaruhotels.com/news/230921/
1. Course of Events
We confirmed that on September 20, 2023, Booking.com, which is under our management, was illegally accessed and some guests that had reserved accommodations at “MIMARU Ikebukuro” via Booking.com were sent messages directing them to phishing sites or the like through the management system of Booking.com. In addition, it is possible that guests’ personal information stored in the management system of Booking.com was viewed by a third party.
We are subsequently sending a message alerting guests who were sent the above message, as well as changing login passwords and conducting PC security checks at all MIMARU facilities.
We have further confirmed that no unauthorized access occurred at other facilities and the Booking.com main system.
2. Events Details
(1) Affected guests
Guests who made reservations for “MIMARU Ikebukuro” on Booking.com from September 26, 2022 to September 20, 2023
(2) Number of cases in which it is possible that personal information was leaked
3,132 cases of personal information of guests who reserved “MIMARU Ikebukuro” and stored in their information in Booking.com's management system
*Lists of personal information of guests cannot be extracted from the management system of Booking.com. Rather, the specifications allow for viewing it one at a time.
(3) Personal information of guests that was possibly leaked
Name/telephone number/e-mail address/nationality
*This does not include payment-related information such as credit card information or financial institution account information.
(4) Cause
As a result of an investigation of the cause by a specialized company, we have determined that the cause of the unauthorized access to the management system was that two of the terminals of “MIMARU Ikebukuro”, which manages the system, was infected with malware on September 17, 2023.
(5) Presence or absence of secondary damage or the risk thereof and details
We have confirmed that some guests provided credit card information to the phishing site described in the messages that were sent, and suffered financial damage.
3. Request to Guests
If you receive a suspicious message, please do not access any attached URL links. Please contact Booking.com or us as below if you are unfamiliar with the content of such messages.
If you have an inquiry regarding this case, please use the following contact information.
[Guests contact for accommodations/reservations for “MIMARU Ikebukuro”]
MIMARU Ikebukuro
ikebukuro@chm.cigr.co.jp
[Contact for other/media]
pr-info@chm.cigr.co.jp
4. Future Handling and Measures to Prevent Recurrence
Based on the results of the investigation and suggestions from related organizations, we have implemented measures such as the introduction of additional security tools and employee education to prevent recurrence. We will continue to enhance our security measures going forward.
We offer our sincerest apologies for the trouble and concern that this has caused our guests.
*“Phishing site” refers to a fake website that utilizes fraudulent methods to steal personal information, credit card numbers, etc., disguised as an actual website.
Cookies help us deliver services. By clicking "Accept," you consent to the use of cookies. Click here to learn more.