Jump to content
You are not logged in ▶️ Click to sign-up or login ×

Hackers in Thailand hacked a hotel. Looking for a legal advice.

plus7

By plus7
in General Topics

 Share

Recommended Posts

  • Popular Post
plus7 Advanced Member

plus7

Posted
  • Popular Post
Posted

Hi,

 

I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email.

I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit".

This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers.

All the communication and the payment request was done from company's email address.

 

The hotel refused to provide the room and refuse to return money.

 

At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails.

I hope there is a small case court in Thailand to resolve this easily.

 

Banks don't help, send me to police.

 

What do you think, is there a way to get money back ?

 

  • Like 2
  • Sad 1
  • Haha 2
Link to comment
Share on other sites
  • Popular Post
gearbox Gold Member

gearbox

Posted
  • Popular Post
Posted
8 minutes ago, plus7 said:

Kwasaki,

 

Thank you for your attention, I lost 18,000 and the guy from tripadvisor 20,000.

 

 

In theory they are liable, but in practice I doubt a small case court can deal with this. Digital crime is highly specialised topic and most likely there has to be experts called as witnesses to explain in plain language what SMTP headers are. Btw these can be forged too. IMO your best bet is to find more victims and act together, your case would look much more probable.

File a police report first and mention the tripadvisor post as well. The police in many countries have digital crime units now, they are obliged to act on cases like this. Also in some countries there is now a mandatory breach disclosure and notification, the hotel may breach the law if they are aware their infrastructure is hacked and they fail to notify the police and the potential victims.

  • Like 2
  • Thanks 1
Link to comment
Share on other sites
gearbox Gold Member

gearbox

Posted
Posted
2 minutes ago, plus7 said:

gearbox,

 

Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged.

I will try to find more victims, maybe this topic will help to find someone.

 

Reading more carefully your post it seems that they were fairly stupid to admit in an email that they have been hacked. Unless that email is from the hackers too ????

 

You can extract an admission of hacking by calling them by phone and record the call...just try to make them admit clearly that they have been hacked. A court can understand this better than the technicalities of the SMTP exchanges and DKIM signatures.

 

In some countries recording a phone call when you are a participant is legal and can be used in a court as an evidence. Have no idea what the Thai law says about this.

 

 

 

  • Like 2
Link to comment
Share on other sites
  • Popular Post
tgw Platinum Member

tgw

Posted
  • Popular Post
Posted (edited)
3 minutes ago, Chris.B said:

You phoned the hotel and they told you to make your inquiry to the hotel's email address?

The hotel's email address was hacked?

yes, that part of the story stands out.

points to an inside job.

I would report the case to the cybercriminality division of the police, along with the report from November.

 

Either an inside job or criminal negligence.

 

Also, the account should be easily traceable.

I'd bet on inside job.

Edited by tgw
  • Like 1
  • Thanks 1
  • Haha 1
Link to comment
Share on other sites
  • Popular Post
OneMoreFarang Star Member

OneMoreFarang

Posted
  • Popular Post
Posted
4 hours ago, plus7 said:

They sent bank account number (private) for the payment.

Private? Like pay to Somchai Crook?

 

When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 

  • Like 6
  • Thanks 1
Link to comment
Share on other sites
  • Popular Post
OneMoreFarang Star Member

OneMoreFarang

Posted
  • Popular Post
Posted

Maybe this will help you: Any business in Thailand is required to keep logs of the internet traffic for (as far as I remember) 6 month. If they don't keep the logs or if there are no logs there can be a very high penalty.

 

So maybe ask them for the logs. And when they reply there are no logs ...

  • Like 1
  • Haha 2
Link to comment
Share on other sites
tgw Platinum Member

tgw

Posted
Posted
2 minutes ago, OneMoreFarang said:

Private? Like pay to Somchai Crook?

 

When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 

yeah, well, some people are gullible (many) and this is Thailand.

the crook is criminally guilty, while the injured parties are minimally guilty of negligence.

  • Like 1
  • Sad 1
Link to comment
Share on other sites
plus7 Advanced Member

plus7

Posted
  • Author
Posted

Hi everyone,

 

Thank you for your recommendations.

 

Yes, they sent me the email saying:

 

Please pay to this account:

1234556

Somchai Crook

 

I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails.

 

The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time.

 

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

 

The woman whose email it was, cried: "I did't send you anything!!!".

The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you."

 

And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good.

 

I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem.

 

 

Link to comment
Share on other sites
ChrisP24 Advanced Member

ChrisP24

Posted
Posted

18k baht certainly hurts, but in the grand scheme of things I personally wouldn't try to pursue a court case from outside of the country.  The time, effort, aggravation and very real risk of money paid to a lawyer being just a waste make it in my mind just not worth it.

 

18k sounds like it is for a longer stay, maybe the best course of action is to make what lemonade you can out of the situation by speaking with the general manager directly and getting the hotel to get you one of their best rooms at the most discounted rate you can talk them into.   They do have some responsibility and will hopefully at least acknowledge it that way.  If the GM won't do that you could try going higher up within the management company.

Link to comment
Share on other sites
  • Popular Post
mvdf Silver Member

mvdf

Posted
  • Popular Post
Posted (edited)
10 hours ago, plus7 said:

gearbox,

 

Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged.

I will try to find more victims, maybe this topic will help to find someone.

If you were instructed to inquire via email and having followed that instruction, you received a response with instructions to pay to a certain account, the hotel should be held liable for damages as a result of negligence on their part. They know they were hacked and yet advised you to use email nevertheless. They should have disabled their email system or, if it was under the hacker's control, they should have removed or amended the email address on their website.

 

Ruthless of them to simply dismiss responsibility. The appropriate way to right this wrong is for them to write off this loss for reputational reasons and offer you a room complimentarily. 

 

Edited by mvdf
  • Like 3
Link to comment
Share on other sites
  • Popular Post
snowgard Silver Member

snowgard

Posted
  • Popular Post
Posted
2 hours ago, Chosenfew said:

Seems like an inside job, maybe some hotel f**kery going on…

Yes, I thought the same. In real a easy job for the police.
1. They have the bank account owner, who received the money.
2. They can find out the ip of the person who sent the email.

3. They can find out over which ip the mail account is checked for new mails.

  • Like 3
  • Thanks 1
Link to comment
Share on other sites
berrec Silver Member

berrec

Posted
Posted

Maybe some useful information on legal requirements for originations in Thailand to report data security breaches. 

 

DATA BREACH REPORTING UNDER THE THAILAND PDPA

 

Extract: If the data breach IS likely to result in a risk to the rights and freedoms of data subjects, then the controller must report the breach to the PDPC within 72 hours of becoming aware of it.

 

Not saying it will help you with any legal aspects, but possibly you can rattle the hotel's chain and request reimbursement, or you're going to report them for PDPA violation of non-compliance to report a security breach issue.

 

When PDPA is enforced but not complied with What penalties will there be?

 

Failure to comply with the PDPA will be penalized for non-compliance. 

 

There are 3 types of Personal Data Protection Act (PDPA) as follows:

 

Civil penalty

 

Civil penalties are required to indemnify the owner of the personal data that was damaged by the infringement. and may be required to pay additional compensation for additional punitive damages up to 2 times the actual damages. Must pay compensation to the owner of the personal data in the amount of 100,000 baht, the court may order a penalty for punitive damages 2 times the actual damages equal to having to pay all the fines in the amount of 3 hundred thousand baht

 

Criminal penalties

 

Criminal penalties include both imprisonment and a fine, with a maximum imprisonment of not more than 1 year or a fine of not more than 1 million baht, or both. The maximum penalty is imposed on non-compliance with the PDPA in respect of the use of data. or disclose information or send data transfers to foreign countries Types of sensitive personal data (Sensitive Personal Data). In the case if the offender is a company (juristic person), they may wonder who will be jailed. because the company cannot go to jail In this section, it may fall to the executives, directors or people responsible for the operations of that company who will be punished by imprisonment instead.

 

Administrative penalty

 

Fines range from 1 million baht to a maximum of 5 million baht, of which a maximum fine of 5 million baht will be a case of non-compliance with the PDPA in the use of information. or disclose information or transferring data to other countries of the category of sensitive personal data (Sensitive Personal Data). This administrative penalty is separate from compensation for damages arising from civil penalties and criminal penalties.

 

For what it's worth?

  • Like 2
Link to comment
Share on other sites
CH1961 Advanced Member

CH1961

Posted
Posted
17 hours ago, plus7 said:

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount.

Because you did not sent the money to their (big and leading hotel managing company) account. 

Simply as that. 

  • Like 1
Link to comment
Share on other sites
robblok Star Member

robblok

Posted
Posted

 

17 hours ago, plus7 said:

Hi everyone,

 

Thank you for your recommendations.

 

Yes, they sent me the email saying:

 

Please pay to this account:

1234556

Somchai Crook

 

I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails.

 

The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time.

 

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

 

The woman whose email it was, cried: "I did't send you anything!!!".

The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you."

 

And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good.

 

I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem.

 

 

What i dont get is that you first have the hotel admitting a security breach and then they come back on their word ? That is bit strange in the story. 

 

You said they admitted a security breach and then the woman said she did not send anything (of course she did not were the hackers). But that must have been clear to the hotel too why else first admit it.


Strange story. 

Link to comment
Share on other sites
Bruno123 Platinum Member

Bruno123

Posted
Posted
23 hours ago, plus7 said:

Hi,

 

I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email.

I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit".

This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers.

All the communication and the payment request was done from company's email address.

 

The hotel refused to provide the room and refuse to return money.

 

At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails.

I hope there is a small case court in Thailand to resolve this easily.

 

Banks don't help, send me to police.

 

What do you think, is there a way to get money back ?

https://www.ocpb.go.th/ewtadmin/ewt/ocpb_en/

https://web.facebook.com/ocpb.official/?_rdc=1&_rdr

 

Closes in twenty minutes.

  • Like 1
Link to comment
Share on other sites
plus7 Advanced Member

plus7

Posted
  • Author
Posted
7 hours ago, robblok said:

Strange story. 

Robblock, the story become strange to me too when the email asked for "security deposit" of 25,000. I called the hotel, and they said "don't send anything to them, they are hackers!". Later, I called to the phone number in the signature just for curiosity, and the woman said "I didn't send you anything!!!". She was a legitimate worker if the hotel and it was her email that was hacked (allegedly).

Link to comment
Share on other sites
Liverpool Lou Star Member

Liverpool Lou

Posted
Posted (edited)
On 12/30/2021 at 10:01 PM, plus7 said:

I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else.

Why should they take responsibility if they didn't send you the dodgy personal bank name and number?   

 

They are right, unfortunately, you sent the money to a third party individual, not a "big and leading hotel" account.   Why would you do that without checking the veracity of the request with the hotel?

 

Have you reported to the police that an individual whose name and bank details you know defrauded you?

Edited by Liverpool Lou
  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.






×
×
  • Create New...