Posted on September 2, 2018 at 3:54 PM
Data Breach of Large Chinese Hotel Chain Results in Attempted Sale on Dark Web
Huazhu Hotels Group (also known as China Lodging Group), one of China’s largest hotel chains, recently experienced a data breach that included theft of an estimated 141.5 gigabytes of information.
It is considered to be among the largest data breaches experienced in China to date. The theft appears to have been discovered as a result of a post to sell the information on the Dark Web. The post was presumably made by the hackers themselves and included information that they possessed personal data relating to more than 130 million individuals. The sale price was listed at 8 Bitcoin (or approximately $56,000). The dark web portal on which the sale was posted, is based in China.
The breach is speculated to involve some 130 million guests, who made reservations and stayed at the group’s hotels. Huazhu’s 3,800 hotels that make up its ten brands are located in approximately 380 Chinese cities. Although it does not appear that the records include credit card information, the stolen records (approximately 240 in number) include other potentially sensitive information provided by the customer during the online registration process.
It is speculated that information collected during the check-in process is also involved. That information includes such things as names, addresses, birthdates, ID card numbers, telephone numbers, and email addresses. It may also include stay specific details, such as check-in and check-out dates and times, as well as room numbers. It is speculated that the information also contains online account login information, including passwords.
The Group has acknowledged the breach publicly and has indicated it is making progress with its internal investigation. However, it has given no specific information regarding the status of such investigation or of further steps it will be taking to resolve the matter. The company has also stated that local law enforcement in Shanghai is currently assisting. Law enforcement has indicated that such acts will be heavily punished. Although it is not currently clear to the public when this data was stolen, there is a theory that it was stolen at the time part of Huazhu’s database was uploaded to Github, which occurred sometime in August.
Because so many consumers and businesses are affected by data theft, both businesses and governments are cracking down. One way to do this is to target the crypto industry, which provides anonymity for the sale and purchase of sensitive information. However, thus far, the crypto industry has been able to stay ahead of crackdowns and attempts at regulation.
Although Huazhu Hotels Group stock initially took a hit after information of the breach became public, it appears to have rebounded.