Monday 10th December 2018

Klook announces data breach that may have exposed customers’ credit card details

The breach appears to have originated from the travel platforms payment page. "Basic customer information" necessary to make a booking is also likely to have been affected.
Jason Smith
by on 3rd July 2018

Klook, a startup travel website based in Hong Kong that appears to serve customers worldwide, has announced a data breach that may have exposed its customers’ credit card details.

The breach appears to have occurred on the platform’s payment page and is also likely to have affected “basic customer contact information” required to make a booking.

According to an announcement posted on its website, customers’ data was exposed due to a custom snippet of “malicious JavaScript” associated with third-party tracking platform SOCIAPlus.

It claims 8 percent of its customers have been affected however it’s unclear how many this equates to in absolute terms. According to a press release from late last year, the travel platform processes 1 million bookings per month.

The breach is likely to have affected transactions processed between December 11th 2017 and June 13th 2018. It posted the announcement about the breach on 29th June.

While the majority of the platform’s traffic originates from Asia, according to online competitive analysis tools the platform also appears to attract a not insignificant share of traffic from North America and Europe.

It also affords users the opportunity to view pricing in EUR or GBP, indicating it likely has a base of customers in the EU. The EU’s new far-reaching data protection regulation, the General Data Protection Regulation (GDPR), came into force on 25th May.

The travel platform also states that only transactions made through its website were affected i.e. transactions made through its mobile app were unaffected. It claims affected customers and relevant data protection authorities have been notified of the breach.

It also claims it has conducted an investigation of the breach alongside cybersecurity firm Kroll and that, since the removal of the custom JavaScript snippet, no further data loss has occurred.

It has setup a dedicated email address to assist customers affected by the breach (privacy[at]klook.com) and advises all customers to change their passwords.

According to a report on TechCrunch, Klook recently secured $96 million in funding from backers including Goldman Sachs.