Klook Notifies Customers of Potential Third-Party Data Breach Incident

Hong Kong, 29 June 2018 - Klook has become aware that certain customer information may have been accessed without authorization, as a result of a malicious JavaScript code associated with a third-party web-based analytics tool, SOCIAPlus (the “third-party provider”), which Klook used on its website. Immediately upon discovering it, Klook has disabled the feature to protect our customers, and is actively conducting investigation alongside an independent forensics company. Upon enquiry, Klook received confirmation from the third-party provider that the source of the data breach was a single piece of JavaScript code that was infected.

The incident resulted in the possible compromise of personal data and credit card information provided by customers. Transactions made on the Klook website between December 11, 2017 to June 13, 2018 may have been impacted, and those made via the Klook mobile app (both iOS and Android) were not. While investigations are ongoing and Klook is working to categorically exclude customers from risk, Klook estimates that approximately 8% of users may have been affected. Klook has actively reached out to notify potentially impacted customers.

In addition, Klook has completed a primary investigation with Kroll, a global leader in cyber security and forensics investigation. Since the removal of the JavaScript, there is no indication of data loss. Klook and the third-party provider are cooperating to continue with further investigations on this incident. The third-party provider claims it is confident that this was an isolated incident, and that the vulnerability occurred due to a specific custom implementation conducted by the third-party provider.

Klook takes data security and the handling of customer information very seriously. The company’s first priority is to protect its customers’ interests and has hence decided to take swift and proactive actions to address the issue: Klook has notified the relevant regulatory authorities Klook will be reviewing its existing cyber security protocols regularly, and will also implement even stricter review processes for materials from third-party providers Klook will continue investigations with Kroll to determine more facts surrounding this incident

The company has put all appropriate resources behind these efforts to maintain a safe environment for customers to enjoy Klook’s services.

FAQs

About the incident

1. What are the facts surrounding this incident?

Klook has become aware that certain customer information may have been accessed without authorization, as a result of a malicious JavaScript code associated with a third-party web-based analytics tool, SOCIAPlus (the “third-party provider”), which Klook used on its website. Immediately upon discovering it, Klook has disabled the feature to protect our customers, and is actively conducting investigation alongside an independent forensics company. Upon enquiry, Klook received confirmation from the third-party provider that the source of the data breach was a single piece of JavaScript code that was infected.

The incident resulted in the possible compromise of personal data and credit card information provided by customers. Transactions made on the Klook website between December 11, 2017 to June 13, 2018 may have been impacted, and those made via the Klook mobile app (both iOS and Android) were not. While investigations are ongoing and Klook is working to categorically exclude customers from risk, Klook estimates that approximately 8% of users may have been affected. Klook has actively reached out to notify potentially impacted customers.

2. What has Klook done to rectify the situation?

Klook has completed a primary investigation with Kroll, a global leader in cyber security and forensics investigation. Since the removal of the JavaScript, there is no indication of data loss. Klook and third-party provider are cooperating to continue with further investigations on this incident. third-party provider claims it is confident that this was an isolated incident, and that the vulnerability occurred due to a specific custom implementation conducted by third-party provider.

Klook takes data security and the handling of customer information very seriously. The company’s first priority is to protect its customers’ interests and has hence decided to take swift and proactive actions to address the issue: Klook has notified the relevant regulatory authorities Klook will be reviewing its existing cyber security protocols regularly, and will also implement even stricter review processes for materials from third-party providers Klook will continue investigations with Kroll to determine more facts surrounding this incident

The company has put all appropriate resources behind these efforts to maintain a safe environment for customers to enjoy Klook’s services.

3. How many customers were affected?

How many customers were affected? While investigations are ongoing and Klook is working to categorically exclude customers from risk, Klook estimates that approximately 8% of users may have been affected. Klook has actively reached out to notify potentially impacted customers.

The affected bookings are isolated to transactions made via our website (www.klook.com). Transactions made via the Klook App were not impacted.

What to do if you’re affected

4. What should I do if I think my credit card information has been compromised?

We urge customers to remain vigilant and to contact your credit card issuer immediately regarding any suspicious transactions. In instances of payment card fraud, it is important to note that cardholders are typically not responsible for any fraudulent activity that is reported in a timely fashion.

5. Aside from payment information, was any of my other data compromised?

Based on our investigations to date, details on the payment page - including basic customer contact information essential to the booking of travel services - may have potentially been affected. At present, there has been no indication that this personal data, aside from payment information, has been used in any malicious manner.

Customers are advised to change their passwords. As best practice, it is recommended to use stronger combinations of at least 8 alphanumeric characters

6. How can I be sure that my credit card information is safe when I book with Klook?

All transactions on the Klook website and the mobile app are handled by secure external payment gateways. As best practice, we periodically review our cyber security protocols closely with our partners to ensure they are as robust as we can make them.

7. Will Klook compensate me if my credit card was used for illegal transactions?

We deeply regret any inconvenience to customers who may have been victim to credit card fraud as a result of the security breach linked to our external vendor. Customers should refer any questions regarding compensation for credit card fraud to their banks or credit card issuers. Cardholders are typically not responsive for any fraudulent activity that is reported in a timely fashion - the bank generally will refund you the amount suspected of fraud.

8. I have a live booking with Klook. Will this impact my travel plans?

This incident has no implication on live bookings and will not affect the fulfillment of services by Klook. To minimise impact on your travel plans, we strongly encourage you to continue with booked activities but to remain alert to any suspicious transactions on your credit card.

9. Klook has an option to “save” a credit card for future bookings. Is this risky?

Your card information is never processed or save on our website - it is sent directly to our payment processing partner over an encrypted connection, and processed on their secure servers. What Klook receives in return is a “token” - a string of symbols that represents your card. This token is stored in our system, but it is impossible for us to decrypt it to access your card information.

Strengthening security protocol

10. Moving forward, what measures will Klook take to avoid similar data breaches?

As a technology company, Klook has always developed our platforms with data protection at the core. Following this incident involving a third-party provider, we will be reviewing our existing cyber security protocols. We will also implement even stricter review processes for materials from third-party providers.

The company has put all significant resources behind these efforts and will continue to uphold our highest standards for maintaining a safe environment for customers to make bookings on Klook.


Customers who require additional support for their bookings made between December 11, 2017 to June 13, 2018 using the impacted payment methods can write in to Klook at privacy@klook.com. This is a dedicated channel set up for customers affected by this incident.