Chinese hotel chain warns of massive customer data theft

130 million could be impacted by Huazhu Group hack

Man opens hotel room with key card

China’s largest hotel chain is investigating an apparent data theft that is said to involve as many as half a billion pieces of information.

The Xinhua state news agency says Shanghai Police are investigating what looks to be a credible post on a darknet site advertising the sale of nearly 500 million pieces of data reportedly belonging to people who stayed at the chain of hotels Huazhu operates in China.

The data being advertised is said to include ID card details and hotel registration information for guests. The cost of the data was 8 bitcoins.

Hyatt

Malware again checks into Hyatt's hotels, again checks out months later with victims' credit cards

READ MORE

According to the Beijing News, the total number of people exposed by the data theft could be as many as 130 million, and the report claims that third-party security companies in China have already reviewed and authenticated the data as being a new cache, rather than a collection of previously-leaked details.

It goes on to cite China’s Zibao Technology in reporting that the data dump is believed to have come from a company programmer who uploaded an internal database to GitHub, suggesting the incident was an inside job.

Xinhua also notes that Huazhu is conducting its own internal investigation into the matter.

If confirmed, the data dump would immediately be among the largest ever to hit a hotel chain. Huazhu operates more than 3,000 hotels located in some 370 different Chinese Cities. By comparison, the 2016 theft at Hyatt Hotels included just 250 locations, and the 2015 hack at Starwood only covered around 54 locations.

Hotels have long been a favorite target of data thieves. Because everyone who checks into a hotel would be using a payment card and ID, point of sale and reservations systems present a trove of useful data for fraudsters and can fetch a pretty penny in cybercrime forums and markets. ®




Biting the hand that feeds IT © 1998–2018