Huazhu Hotel Group, a large Chinese hotel management firm established in 2005, was recently targeted by a hacker who managed to gain access to personal data of over 130 million people who had made room reservations at 13 different hotels operated by the company.
The hacker is now reportedly selling all the leaked data for 8 Bitcoin (BTC) or 520 Monero (XMR), an amount currently valued at over $55,000 according to data from CryptoCompare.
According to a message titled “Huazhu-owned Hotels Booking Data” on a Chinese dark web forum, the compromised 141.5 GB of data being sold includes the hotel guests’ names, their government-issued ID card numbers, email addresses, home addresses, bank account information, and detailed customer booking information.
Hotels whose customer data was reportedly leaked include mainly 3 to 4 star hotels (and a few five-star) run by Huazhu such as the Grand Mercure, Hanting Hotel, CitiGo, Manxin, Elan, All Season, Ibis, Starway, among several others. In total, there are over 240 million stolen records belonging to more than 130 million hotel guests being sold by the hacker in exchange for the pseudonymous cryptocurrencies.
“Authenticity” Of Stolen Data Is “Very High”
Huazhu Hotels Group, previously known as the China Lodging Group, manages over 3,800 hotels throughout China and is one of the world’s largest hotel management companies, currently ranked 12th in terms of size, or scale, of operations.
A data verification and analysis report from Chinese cybersecurity firm Threat Hunter concluded that the “authenticity” of the compromised data was “very high”, meaning that most of it was up-to-date, or current, and accurately reveals the hotel guests’ personal information. Threat Hunter also said the security breach was quite serious and likely the largest in China since the past five years.
In response the large data leak, the Huazhu Hotels Group issued an official notice via Weibo, a Chinese microblogging website (similar to Twitter), in which it said that they were conducting several investigations, which include determining whether the company’s employees were involved in the incident. The Huazhu Group warned that selling or buying stolen, or compromised information, with cryptocurrencies or fiat is strictly prohibited in China.
Failure To Protect Private Customer Information
Personnel from China’s public security department are also reportedly investigating Huazhu’s security breach. Ma Xiaolong, a professor at Nankai University’s College of Tourism and Service Management, said that the leakage occurred due to the hotel firm’s poor management of customer data and related technical issues.
Xiaolong added that all hotels are responsible for ensuring consumer protection and must make sure that their customers’ private information is not compromised. The professor referred to China’s Protection of Consumer Rights and Interests law, which clearly states that companies must take all necessary measures to prevent the leakage of private customer data.
As CryptoGlobe reported, user data was also recently leaked from a Brazilian cryptocurrency arbitrage platform in which the private details of over 264,000 accounts was shared publicly by the hacker(s). The leaked information included users’ email addresses, phone numbers, and the amount of digital currency they had deposited on the platform.