Huazhu Hotels Group, a NASDAQ-listed hotel operator known for its chains of economy hostelries in China, including Home Inn and 7 Days Inn, was revealed by mainland network security organisation JDSEC Team as having been the victim of a hack that leaked nearly 500 million pieces of customer data, according to local media reports.
A story by China’s official Xinhua News Agency, revealed that postings on China’s dark net on Tuesday were making available 500 million pieces of customer information, which Internet security company Zpower said included 123 million pieces of Huazhu’s online user registration information, including ID card numbers, email addresses, mobile phone numbers, login names and passwords.
The cache, which the unknown hackers were offering for sale at the price of eight bitcoins (more than $56,765), also included 240 million pieces of hotel booking records, including details of guest expenditures at Huazhu hotels run under both local brands such as Hanting, Orange Hotel, and CitiGO, as well as for guests at international branded hotels, such as Grand Mercure and Ibis, operated by the company.
Sharing Your DB Details on Github
According to an account on a mainland tech site, the leak came about after Huazhu programmers posted details for how to connect to the company’s database on code-sharing site Github on August 14th. Sometime thereafter, a 66.2 gigabyte file containing the hotel operator’s customer data appeared on the dark web.
“The group has already reported the incident to the police and the police are investigating the case right now,” Shanghai-based Huazhu announced on Weibo on Tuesday afternoon, in response to customer complaints, that emerged shortly after the leak became public knowledge.
In a separate statement the same day, the group said that it has hired data security professionals to verify whether the ‘related personal information’ sold online was leaked by Huazhu Group.” The group’s statements were confirmed by the Changning district branch of the Shanghai Public Security Bureau.
The breach is a damaging public relations incident for Huazhu, which was previously known as China Lodging Group, and ranks as the ninth largest hotel operator in the world.
The company’s 2018 Q2 report said Huazhu has 3,903 hotels with 393,417 rooms in operation, which helped it to generate RMB 2.5 billion of revenue in the three month period ending June 30th — a 25.9 percent increase over the same period in 2017.
Since the suspected information breach was reported on Tuesday morning, Huazhu’s stock has tumbled over 2.8 percent one the NASDAQ exchange.
It’s 2013 All Over Again
This latest incident is not the first information leak for the hotel company, which was founded in 2005.
In October 2013, mainland network security monitoring platform Wuyun released a report saying that booking records from Huazhu hotels, including Hanting Hotels and Home Inns were stored in a third party’s platform, which was said to be the company’s Internet service provider Zhejiang Cnwisdom.
According to the report at that time, the customer booking information, including names, ID numbers, booking date, and room numbers, were suspected to have been leaked through a loophole in a Wi-Fi management and certification system developed by Zhejiang Cnwisdom, which provides Internet access to over 4,500 hotels across China.
However, Huazhu denied leaking customers’ data through the ISP. The case was later handed over to the China National Computer Network Emergency Response Technical Team to fix the loophole.