Skip to content
View in the app

A better way to browse. Learn more.

Thailand News and Discussion Forum | ASEANNOW

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Hackers in Thailand hacked a hotel. Looking for a legal advice.

Featured Replies

  • Popular Post

Hi,

 

I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email.

I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit".

This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers.

All the communication and the payment request was done from company's email address.

 

The hotel refused to provide the room and refuse to return money.

 

At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails.

I hope there is a small case court in Thailand to resolve this easily.

 

Banks don't help, send me to police.

 

What do you think, is there a way to get money back ?

 

  • Replies 47
  • Views 3.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • OneMoreFarang
    OneMoreFarang

    Private? Like pay to Somchai Crook?   When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 

  • Seems like an inside job, maybe some hotel f**kery going on…

  • Yes, I thought the same. In real a easy job for the police. 1. They have the bank account owner, who received the money. 2. They can find out the ip of the person who sent the email. 3. They

  • Author

Hi,

 

Addition: I did a websearch on hotel name and found post on tripadvisor (mytrip) reporting exactly the same situation on 19 November 2021.

So, I'm not only one....

So how much did you pay.? 

  • Author

Kwasaki,

 

Thank you for your attention, I lost 18,000 and the guy from tripadvisor 20,000.

 

 

  • Popular Post
8 minutes ago, plus7 said:

Kwasaki,

 

Thank you for your attention, I lost 18,000 and the guy from tripadvisor 20,000.

 

 

In theory they are liable, but in practice I doubt a small case court can deal with this. Digital crime is highly specialised topic and most likely there has to be experts called as witnesses to explain in plain language what SMTP headers are. Btw these can be forged too. IMO your best bet is to find more victims and act together, your case would look much more probable.

File a police report first and mention the tripadvisor post as well. The police in many countries have digital crime units now, they are obliged to act on cases like this. Also in some countries there is now a mandatory breach disclosure and notification, the hotel may breach the law if they are aware their infrastructure is hacked and they fail to notify the police and the potential victims.

  • Author

gearbox,

 

Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged.

I will try to find more victims, maybe this topic will help to find someone.

You phoned the hotel and they told you to make your inquiry to the hotel's email address?

The hotel's email address was hacked?

2 minutes ago, plus7 said:

gearbox,

 

Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged.

I will try to find more victims, maybe this topic will help to find someone.

 

Reading more carefully your post it seems that they were fairly stupid to admit in an email that they have been hacked. Unless that email is from the hackers too ????

 

You can extract an admission of hacking by calling them by phone and record the call...just try to make them admit clearly that they have been hacked. A court can understand this better than the technicalities of the SMTP exchanges and DKIM signatures.

 

In some countries recording a phone call when you are a participant is legal and can be used in a court as an evidence. Have no idea what the Thai law says about this.

 

 

 

  • Popular Post
3 minutes ago, Chris.B said:

You phoned the hotel and they told you to make your inquiry to the hotel's email address?

The hotel's email address was hacked?

yes, that part of the story stands out.

points to an inside job.

I would report the case to the cybercriminality division of the police, along with the report from November.

 

Either an inside job or criminal negligence.

 

Also, the account should be easily traceable.

I'd bet on inside job.

Edited by tgw

Did you pay with a Bank Card, or Credit card.  Many will refund the money once you lodge a fraudulent use claim.

  • Popular Post
4 hours ago, plus7 said:

They sent bank account number (private) for the payment.

Private? Like pay to Somchai Crook?

 

When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 

  • Popular Post

Maybe this will help you: Any business in Thailand is required to keep logs of the internet traffic for (as far as I remember) 6 month. If they don't keep the logs or if there are no logs there can be a very high penalty.

 

So maybe ask them for the logs. And when they reply there are no logs ...

2 minutes ago, OneMoreFarang said:

Private? Like pay to Somchai Crook?

 

When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 

yeah, well, some people are gullible (many) and this is Thailand.

the crook is criminally guilty, while the injured parties are minimally guilty of negligence.

  • Author

Hi everyone,

 

Thank you for your recommendations.

 

Yes, they sent me the email saying:

 

Please pay to this account:

1234556

Somchai Crook

 

I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails.

 

The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time.

 

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

 

The woman whose email it was, cried: "I did't send you anything!!!".

The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you."

 

And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good.

 

I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem.

 

 

18k baht certainly hurts, but in the grand scheme of things I personally wouldn't try to pursue a court case from outside of the country.  The time, effort, aggravation and very real risk of money paid to a lawyer being just a waste make it in my mind just not worth it.

 

18k sounds like it is for a longer stay, maybe the best course of action is to make what lemonade you can out of the situation by speaking with the general manager directly and getting the hotel to get you one of their best rooms at the most discounted rate you can talk them into.   They do have some responsibility and will hopefully at least acknowledge it that way.  If the GM won't do that you could try going higher up within the management company.

  • Popular Post
10 hours ago, plus7 said:

gearbox,

 

Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged.

I will try to find more victims, maybe this topic will help to find someone.

If you were instructed to inquire via email and having followed that instruction, you received a response with instructions to pay to a certain account, the hotel should be held liable for damages as a result of negligence on their part. They know they were hacked and yet advised you to use email nevertheless. They should have disabled their email system or, if it was under the hacker's control, they should have removed or amended the email address on their website.

 

Ruthless of them to simply dismiss responsibility. The appropriate way to right this wrong is for them to write off this loss for reputational reasons and offer you a room complimentarily. 

 

Edited by mvdf

  • Popular Post

Seems like an inside job, maybe some hotel f**kery going on…

  • Popular Post
2 hours ago, Chosenfew said:

Seems like an inside job, maybe some hotel f**kery going on…

Yes, I thought the same. In real a easy job for the police.
1. They have the bank account owner, who received the money.
2. They can find out the ip of the person who sent the email.

3. They can find out over which ip the mail account is checked for new mails.

18 hours ago, plus7 said:

Hotel said they had a security breach

???? oh sure

Perhaps employees in the back room using email addresses. 

Use a booking service. Agoda, Expedia etc…  you’re not getting your money back. You might get the Hotel to agree to discount. 

Have you contacted the bank to where you forwarded the deposit..?

Maybe some useful information on legal requirements for originations in Thailand to report data security breaches. 

 

DATA BREACH REPORTING UNDER THE THAILAND PDPA

 

Extract: If the data breach IS likely to result in a risk to the rights and freedoms of data subjects, then the controller must report the breach to the PDPC within 72 hours of becoming aware of it.

 

Not saying it will help you with any legal aspects, but possibly you can rattle the hotel's chain and request reimbursement, or you're going to report them for PDPA violation of non-compliance to report a security breach issue.

 

When PDPA is enforced but not complied with What penalties will there be?

 

Failure to comply with the PDPA will be penalized for non-compliance. 

 

There are 3 types of Personal Data Protection Act (PDPA) as follows:

 

Civil penalty

 

Civil penalties are required to indemnify the owner of the personal data that was damaged by the infringement. and may be required to pay additional compensation for additional punitive damages up to 2 times the actual damages. Must pay compensation to the owner of the personal data in the amount of 100,000 baht, the court may order a penalty for punitive damages 2 times the actual damages equal to having to pay all the fines in the amount of 3 hundred thousand baht

 

Criminal penalties

 

Criminal penalties include both imprisonment and a fine, with a maximum imprisonment of not more than 1 year or a fine of not more than 1 million baht, or both. The maximum penalty is imposed on non-compliance with the PDPA in respect of the use of data. or disclose information or send data transfers to foreign countries Types of sensitive personal data (Sensitive Personal Data). In the case if the offender is a company (juristic person), they may wonder who will be jailed. because the company cannot go to jail In this section, it may fall to the executives, directors or people responsible for the operations of that company who will be punished by imprisonment instead.

 

Administrative penalty

 

Fines range from 1 million baht to a maximum of 5 million baht, of which a maximum fine of 5 million baht will be a case of non-compliance with the PDPA in the use of information. or disclose information or transferring data to other countries of the category of sensitive personal data (Sensitive Personal Data). This administrative penalty is separate from compensation for damages arising from civil penalties and criminal penalties.

 

For what it's worth?

17 hours ago, plus7 said:

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount.

Because you did not sent the money to their (big and leading hotel managing company) account. 

Simply as that. 

 

17 hours ago, plus7 said:

Hi everyone,

 

Thank you for your recommendations.

 

Yes, they sent me the email saying:

 

Please pay to this account:

1234556

Somchai Crook

 

I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails.

 

The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time.

 

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

 

The woman whose email it was, cried: "I did't send you anything!!!".

The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you."

 

And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good.

 

I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem.

 

 

What i dont get is that you first have the hotel admitting a security breach and then they come back on their word ? That is bit strange in the story. 

 

You said they admitted a security breach and then the woman said she did not send anything (of course she did not were the hackers). But that must have been clear to the hotel too why else first admit it.


Strange story. 

23 hours ago, plus7 said:

Hi,

 

I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email.

I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit".

This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers.

All the communication and the payment request was done from company's email address.

 

The hotel refused to provide the room and refuse to return money.

 

At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails.

I hope there is a small case court in Thailand to resolve this easily.

 

Banks don't help, send me to police.

 

What do you think, is there a way to get money back ?

https://www.ocpb.go.th/ewtadmin/ewt/ocpb_en/

https://web.facebook.com/ocpb.official/?_rdc=1&_rdr

 

Closes in twenty minutes.

  • Author
7 hours ago, robblok said:

Strange story. 

Robblock, the story become strange to me too when the email asked for "security deposit" of 25,000. I called the hotel, and they said "don't send anything to them, they are hackers!". Later, I called to the phone number in the signature just for curiosity, and the woman said "I didn't send you anything!!!". She was a legitimate worker if the hotel and it was her email that was hacked (allegedly).

On 12/30/2021 at 8:12 PM, gearbox said:

In theory they are liable,

Why?  The hotel didn't take the money, he sent it to a personal bank account, not a hotel's business account.  Why would anyone do that without checking that massive red flag with the hotel first?

On 12/30/2021 at 10:01 PM, plus7 said:

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

Why should they take responsibility if they didn't send you the dodgy personal bank name and number?   

 

They are right, unfortunately, you sent the money to a third party individual, not a "big and leading hotel" account.   Why would you do that without checking the veracity of the request with the hotel?

 

Have you reported to the police that an individual whose name and bank details you know defrauded you?

Edited by Liverpool Lou

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.