Klook, a startup travel website based in Hong Kong that appears to serve customers worldwide, has announced a data breach that may have exposed its customers’ credit card details.
The breach appears to have occurred on the platform’s payment page and is also likely to have affected “basic customer contact information” required to make a booking.
It claims 8 percent of its customers have been affected however it’s unclear how many this equates to in absolute terms. According to a press release from late last year, the travel platform processes 1 million bookings per month.
The breach is likely to have affected transactions processed between December 11th 2017 and June 13th 2018. It posted the announcement about the breach on 29th June.
While the majority of the platform’s traffic originates from Asia, according to online competitive analysis tools the platform also appears to attract a not insignificant share of traffic from North America and Europe.
It also affords users the opportunity to view pricing in EUR or GBP, indicating it likely has a base of customers in the EU. The EU’s new far-reaching data protection regulation, the General Data Protection Regulation (GDPR), came into force on 25th May.
The travel platform also states that only transactions made through its website were affected i.e. transactions made through its mobile app were unaffected. It claims affected customers and relevant data protection authorities have been notified of the breach.
It has setup a dedicated email address to assist customers affected by the breach (privacy[at]klook.com) and advises all customers to change their passwords.
According to a report on TechCrunch, Klook recently secured $96 million in funding from backers including Goldman Sachs.