Hackers allegedly stole and demanded ransom for more than 700,000 customer records belonging to major hotel franchises, Choice Hotels, including names, addresses, email addresses, and phone numbers. The leak originated from an unsecured database, which was discovered by hackers first. The unsecured database was most recently discovered by Comparitech and security researcher Bob Diachenko.
“Hackers claim to have stolen 700,000 guest records belonging to Choice Hotels, one of the largest hotel chains in the world. Comparitech collaborated with security researcher Bob Diachenko to uncover the unsecured database, which was left exposed and accessible to anyone with an internet connection.” Comparitech released in their blog post.
According to Choice Hotels, most of the records were only test information, including the payment card, password, and reservation fields; however, 700,000 records were genuine and contained information on guests such as names, email addresses, and phone numbers. While investigating the database, the researcher found a ransom note demanding 0.4 Bitcoin, approximately $4,000, from the owners.
“We have discussed this matter with the vendor and will not be working with them in the future. We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature, and we are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.” Choice Hotels told Comparitech
Database access was closed off on July 2 and it appears the system was exposed for a total of four days. Choice Hotels says the database, while linked to the firm, was operated by a partner vendor and no internal servers were accessed. Choice Hotels says it’s continuing to investigate the data leak and will no longer be working with the vendor who hosted its data.