[Important Notice] (Follow-up report) Apology and notice regarding the possibility of a leak of personal information due to unauthorized access to the Booking.com management system and the delivery of messages leading to phishing sites

2023.08.09
News and Announcements

We sincerely apologize for the great inconvenience and concern caused our to our guests due to an incident in which the accommodations reservation information management system (hereinafter, management system) provided by Booking.com and used at our company, was accessed illegally, and a message was sent to some guests directing them to a phishing site.
 
Regarding the “[Important Notice] Unauthorized e-mail from Booking.com” published on June 12, 2023, we would like to report the facts that have been discovered through subsequent investigations, as follows.
 
Notice dated 6/12
https://mimaruhotels.com/en/news/bookingcom/
 
1. Course of Events
We confirmed that on June 10, 2023, Booking.com, which is under our management, was illegally accessed and some guests that had reserved accommodations at “MIMARU SUITES Tokyo Asakusa” via Booking.com were sent messages directing them to phishing sites or the like through the management system of Booking.com. In addition, it is possible that guests’ personal information stored in the management system of Booking.com was viewed by a third party.
We are susequently sending a message alerting guests who were sent the above message, as well as changing IDs and login passwords and conducting PC security checks at all MIMARU facilities.
We have further confirmed that no unauthorized access occurred at other facilities.and the Booking.com main system.
 
2. Events Details
(1)   Affected guests
Guests who made reservations for “MIMARU SUITES Tokyo Asakusa” on Booking.com from August 30, 2022 to June 10, 2023
 
(2)   Number of cases in which it is possible that personal information was leaked
1,001 cases of personal information of guests who reserved “MIMARU SUITES Tokyo Asakusa” and stored in their information in Booking.com's management system
*Lists of personal information of guests cannot be extracted from the management system of Booking.com. Rather, the specifications allow for viewing it one at a time.
 
(3)   Personal information of guests that was possibly leaked
Name/telephone number/e-mail address/nationality
 *This does not include payment-related information such as credit card information or financial institution account information.


(4)   Cause
As a result of an investigation of the cause by a specialized company, we have determined that the cause of the unauthorized access to the management system was that one of the terminals of “MIMARU SUITES Tokyo Asakusa”, which manages the system, was infected with malware on June 6, 2023.
 
(5)   Presence or absence of secondary damage or the risk thereof and details
We have confirmed that some guests provided credit card information to the phishing site described in the messages that were sent, and suffered financial damage.
 
 
3. Request to Guests
If you receive a suspicious message, please do not access any attached URL links. Please contact Booking.com or us as below if you are unfamiliar with the content of such messages.
 
If you have an inquiry regarding this case, please use the following contact information.
[Guests contact for accommodations/reservations for “MIMARU SUITES Tokyo Asakusa”]
 MIMARU SUITES Tokyo Asakusa
suites.tokyo-asakusa@chm.cigr.co.jp
 
[Contact for other/media]
pr-info@chm.cigr.co.jp
 
4. Future Handling and Measures to Prevent Recurrence
Based on the results of the investigation and suggestions from related organizations, we will strengthen our measures, such as introducing additional security tools and educating employees.
 
We offer our sincerest apologies for the trouble and concern that this has caused our guests.
 

 

*“Phishing site” refers to a fake website that utilizes fraudulent methods to steal personal information, credit card numbers, etc., disguised as an actual website. In addition, as in this case, this also includes content that encourages someone to transfer money, under the pretext of a deposit, etc., to a malicious third party that is not our company.

Cookies help us deliver services. By clicking "Accept," you consent to the use of cookies. Click here to learn more.