Choice Hotels data breach: 700 000 records with customer data stolen

Cybercriminals used open MongoDB database and demanded $3 800 for the stolen customer record recovery

Due to the unsecured MongoDB database customer data got leaked on the internet.

The database containing Choice Hotels customer information got accessed by cybercriminals who stole 700 000 of those records.^[1] The unsecured MongoDB database was discovered by researchers, but cybercriminals have already found the vulnerability and took advantage of the exposed data.^[2] The server lacked appropriate security, so the database was left open to the internet with all those personal records, including names, addresses, emails, and telephone numbers.

The database that Diachenko discovered as unsecured contained 5.6 million records. According to the officials from Choice Hotels, the bulk of these records included test information, not associated with real people like payment card passwords, reservations. However, 700 000 records contained personal details of the guests.

When the database got analyzed, and researchers investigated all the contents, a ransom note was found. This message claimed that all those records got stolen and backed on the hackers' server. To get those files back, 0.4 Bitcoin – around $4000, need to get paid by the owners. Researchers think that this note probably was placed there automatically and that hackers intended to wipe all the data from this database after they copied the needed records, but the script failed to do so.

No Choice Hotels servers got access: data stored on the vendor's server

The MongoDB database was made publicly accessible without any password or authentication required. This issue was known already, but the particular involvement of the Choice Hotels got discovered by Bob Diachenko on July 2nd.^[3] The researcher noted the company and the database access was immediately secured. Later that month, the investigation was started by Choice Hotels.

The information that got accessed and stolen by criminals was stored not on the Choice Hotels server, so the company even stated regarding the issue and questions about compromised servers:

We have discussed this matter with the vendor and will not be working with them in the future. We are evaluating other vendor relationships and working to put additional controls in place to prevent any future ccurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.

Stolen data may get used in later phishing campaigns

Although Choice Hotels say that fields with passwords, reservation details, and payment records only were fake test data, many details about real customers got accessed anyway. The biggest issue regarding such data leaks and breaches is the later uses of the stolen information, for example, phishing campaigns.^[4]

Scammers can target customers with emails, SMS texts by impersonating Choice Hotels or related companies with requirements for personal details, sensitive information, credit card credentials. Customers should be ready to receive similar notifications and be aware of possible fraud campaigns against them. This unprotected database has already caused many issues, so keep in mind that particular MongoDB database was used for various purposes and can be employed to spread malware later on.^[5]