Huazhu Group hotel breach involves millions of customers

Millions of Huazhu Hotel Group customers involved in a serious data breach

Data of more than 3500 hotels of Huazhu Hotel Group affected by data breach.

This Tuesday, Huazhu Group,^[1] the company monitoring more than 3500 hotels and other properties in China region, ^[2] reported about a serious data breach involving millions of its customers. As it was revealed to the Shanghai police, the accident touched its major hotels and might have leaked data related to 100 million customers or more. It all came up to the surface when the stolen information (equal to 140 gigabytes) was put for sale on the Internet for 8 BTC, approximately $55,600.

According to researchers, the stolen information includes millions of registration details such as names, surnames, ID codes, mobile phone numbers, dates of birth, residence addresses, various check-in details, and other personal data. It is believed that, in total, around 500 million records from various customers were stolen during the data breach process.

It is still unknown who is responsible for the data exposure

Several speculations about the data breach have appeared since its discovery. According to China's Zibao Technology, the data exposure might be a result of an accidental decision of the group's software developers who might have uploaded the whole database to Github which is used for helping developers to collaborate.^[3]

The same concerns have been expressed by Lastline's^[4] director Andy Norton who also believes that the hack was initiated by inexperienced hackers:

It looks like human error is to blame for this breach. It also looks like the threat actors selling the data don't have the contacts or infrastructure to monetize the stolen IDs individually, he explained.

It seems that there is a truly big chance that the leak has come from the company itself. However, the most important thing here is to realize that no one is safe and that everyone should take care of precautionary methods to prevent such losses in the future.

Punishment for those who will try to misuse the leaked information

Shanghai police has already released a statement about whats going to happen if the leaked data is misused for illegal and wrong purposes:

Those who commit illegal acts including theft, trading and exchange of residents’ personal data will be heavily punished, the Shanghai police said in a statement. We are resolute in protecting people’s interest and ensuring information security.

This might keep some hackers away from misusing exposed data. However, the investigation process has done some moves according to Huazhu, but there are no closer details shared about the process currently.

Data breach – a common occurrence in China

According to one of Shangai's investors in the technology sector, Yin Ran, data exposure is a very common and dangerous occurrence in China:

Strangers would approach us for trading of personal data owned by our portfolio firms, Yin said. The potential risks are huge and such illegal behaviour must be eradicated to pave the way for further development of digitalised businesses.

This April, there were around 346,00 Wuhan residents whose personal details were exposed and put up on the Internet for sale. An artist named Deng Yufeng managed to purchase the data from the black market and make an exhibition of it in a particular art gallery. Of course, authorities shut down this gallery by force ^[5].

Remember, we all can be a part of our own data safety. Taking precautionary measures while providing personal information to various companies, websites, is necessary.