Hackers in Thailand hacked a hotel. Looking for a legal advice.

[Liverpool Lou]

On 12/31/2021 at 6:56 AM, mvdf said:

They know they were hacked and yet advised you to use email nevertheless. They should have disabled their email system or, if it was under the hacker's control, they should have removed or amended the email address on their website.

 

Ruthless of them to simply dismiss responsibility. The appropriate way to right this wrong is for them to write off this loss for reputational reasons and offer you a room complimentarily. 

When did they know that they had been hacked?   Presumably after the OP first contacted them, there's no suggestion, apart from yours, that the hotel staff gave the go ahead for paying via a hacked system.

 

The OP knew the name of the apparently substantial, well-reputed hotel yet sent his booking money to an individual's personal bank account.  

[robblok]

9 minutes ago, Liverpool Lou said:

Why should they take responsibility if they didn't send you the dodgy personal bank name and number?   

 

They are right, unfortunately, you sent the money to a third party individual, not a "big and leading hotel" account.   Why would you do that without checking the veracity of the request with the hotel?

 

Have you reported to the police that an individual whose name and bank details you know defrauded you?

One reason is it came from their email account, that counts for something. 

 

I have regularly made payments to hotels (on Koh Lipe) that had a private bank account not a business name). So it would not really raise a red flag from me if it came from the hotel its email itself. That is their responsibility. In the Netherlands this happend too and the companies were at least partially liable. So i would not say its that cut and dry.

[Liverpool Lou]

On 12/31/2021 at 10:25 AM, The Theory said:

???? oh sure

Perhaps employees in the back room using email addresses. 

Well, if that highly unlikely circumstance did happen, at least the OP has the name and bank details of the perpetrator that you suggest those staff gave him.

[Liverpool Lou]

On 12/31/2021 at 12:48 PM, khunPer said:

Have you contacted the bank to where you forwarded the deposit..?

The bank will not disclose any information about a customer's account to him, as a third party.   The request would have to be made inter-bank from the OP's bank.

[Liverpool Lou]

12 minutes ago, robblok said:

One reason is it came from their email account, that counts for something. 

 

I have regularly made payments to hotels (on Koh Lipe) that had a private bank account not a business name). So it would not really raise a red flag from me if it came from the hotel its email itself. 

Perhaps it wouldn't raise a red flag with you because you were familiar with that parochial booking system in Koh Lipe.  The OP knew the hotel was part of a big, well-reputed group that would not have booking payments sent to a private individual's personal bank account yet he didn't query it.

[robblok]

1 minute ago, Liverpool Lou said:

Perhaps it wouldn't raise a red flag with you because you were familiar with that parochial booking system in Koh Lipe.  The OP knew the hotel was part of a big, well-reputed group that would not have booking payments sent to a private individual's personal bank account yet he didn't query it.

If it was a big well reputed group then yes it would raise red flags, but in lipe and other islands it often works different (non big groups). But still getting emails from the hotel itself in name of an employee would make things a lot more trustworthy.

 

As a company you are responsible for your cybersecurity, though your point is well made too.

[Ohyesuare]

On 12/31/2021 at 10:10 AM, snowgard said:

Yes, I thought the same. In real a easy job for the police.
1. They have the bank account owner, who received the money.
2. They can find out the ip of the person who sent the email.

3. They can find out over which ip the mail account is checked for new mails.

You forgot 4. They'd have to give a <deleted> (they won't).

[Liverpool Lou]

15 minutes ago, Ohyesuare said:

You forgot 4. They'd have to give a <deleted> (they won't).

You forgot something, the OP would have to give a <deleted> about who he sent his money to (he apparently didn't).

[fdsa]

Well, that's really interesting. Topic author mentioned the DKIM signature - if it is really valid (verified with DNS records) and the MX record is valid - then it's either an insider or hacker has access to hotel's mail accounts (or internal user accounts).

 

But given this post:

On 12/30/2021 at 4:43 PM, plus7 said:

Addition: I did a websearch on hotel name and found post on tripadvisor (mytrip) reporting exactly the same situation on 19 November 2021.

I bet it's an insider or hotel staff making some extra money, rather than any alleged "hackers". A large hotel did not block the supposedly hacked email account within 1.5 months?! LOL.

 

 

P.S. Plot twist: author is sued by the hotel for defamation

[tgw]

1 hour ago, Liverpool Lou said:

When did they know that they had been hacked?   Presumably after the OP first contacted them, there's no suggestion, apart from yours, that the hotel staff gave the go ahead for paying via a hacked system.

 

The OP knew the name of the apparently substantial, well-reputed hotel yet sent his booking money to an individual's personal bank account.  

from OP's second post, it appears that the hotel knew about the situation already in november:

 

so not shutting down the email domain or redirecting it to another server in a timely manner is criminal negligence and the hotel should be liable.

 

[fdsa]

2 hours ago, tgw said:

criminal negligence

it is called "TiT" here

[The Theory]

5 hours ago, Liverpool Lou said:

Well, if that highly unlikely circumstance did happen, at least the OP has the name and bank details of the perpetrator that you suggest those staff gave him.

And you believe that everything is "logical" here ????

[tgw]

5 hours ago, fdsa said:

it is called "TiT" here

true dat ...

[geisha]

Thé lady sounds a bit iffy to me. It should be easy to find the bank account holder. 

[soi3eddie]

On 12/30/2021 at 1:36 PM, tgw said:

yes, that part of the story stands out.

points to an inside job.

I would report the case to the cybercriminality division of the police, along with the report from November.

 

Either an inside job or criminal negligence.

 

Also, the account should be easily traceable.

I'd bet on inside job.

It would seem to be an entirely appropriate case for either the Cyber Crimes Investigation Bureau (CCIB) or the High-Tech Crime Division (HTCD). But question is will they really be interested in investigating this real crime rather than easy targets such as "defamation"? Should be easy to trace which bank account the money actually went to for sure.  

 

[soi3eddie]

On 12/30/2021 at 11:56 PM, mvdf said:

Ruthless of them to simply dismiss responsibility. The appropriate way to right this wrong is for them to write off this loss for reputational reasons and offer you a room complimentarily. 

As a business owner dealing with public in the UK, I can say that a good reputation (and the confidence it gives to future clients) is much more important than failing to resolve an issue such as this. I would immediately investigate and tighten IT security whilst making good the financial loss of the customer by either compensating or offering the services expected. Sadly Thai businesses do not seem to care to uphold these values. Then they cry when they have no customers (but maybe fear of defamation suits stops their name being published so why care anyway?). T.I.T.

 

[Liverpool Lou]

14 hours ago, The Theory said:

19 hours ago, Liverpool Lou said:

Well, if that highly unlikely circumstance did happen, at least the OP has the name and bank details of the perpetrator that you suggest those staff gave him.

And you believe that everything is "logical" here ????

Huh?  What are you suggesting that "I'm believing is logical"?

[plus7]

Hi,

 

I was near Customer Protection Board and brought them this case and police report.

A clerk in the office, who didn't seem too much busy,  said that since I had not entered into contractual agreement with the hotel - they didn't receive the money actually -  I'm not covered by "customer protection law"

I think I need a lawyer who could explain how come that email "Yes, please pay to this account"  is not an agreement in Thailand.