PII for 130 Million Hotel Guests For Sale on the Dark Web

It is being widely reported today that 500 million client information records were leaked from Hauzhu Hotels Group.  The information includes 123 million registration data records, such as name, mobile number, ID number and log-in pin; 130 million check-in records, such as name, ID number, home address and birthday; and 240 million hotel stay records, such as name, credit card number, mobile number, check-in and check-out time, consumption amount and room number.

Hauzhu Hotels Group Ltd. (Nasdaq: HTHT) is a leading and fast-growing multi-brand hotel group in China. Founded in 2005, HUAZHU has been ranked as the 12th largest hotel group globally. The group currently owns and operates over 3,000 hotels across over 350 cities in China, providing business and leisure travelers with high-quality, and conveniently-located hotel options from upscale to economy.  After dark web and social media posts exposed the breach, Hauzhu says they have reported the exfiltration to police.

What the experts are saying:

Ryan Wilk, VP of Customer Success at NuData Security says, “In the last few years, breaches have gone from affecting a few thousand individuals at a time to exposing the data of millions of users on a regular basis. However, a breach that affects 130 million customers is massive enough to stay at the podium of breaches for a while. This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready. This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials. This sort of data exposure is why so many organizations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics. In doing so, they’re shifting from “let’s make our company a bunker for all users” to “let’s build the bunker for risky users only.”  They do so by using technology that doesn’t rely on data that could have been exposed in a breach, thus preventing post-breach damage.”

Michael Magrath, Director, Global Regulations & Standards, OneSpan: “Hauzhu is the latest breach that has affected the hospitality industry.  Last summer the SABRE breach affected numerous chains including Trump Hotels, Loews Four Seasons and Hard Rock,  Given the breadth of personally identifiable information stored on hospitality industry systems cybercriminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications.  

“The hospitality industry is all about customer service.  Given the advancements in authentication technologies, upscale properties can differentiate themselves by offering the latest, frictionless adaptive authentication methods combining behavioral biometrics and machine learning and well as fingerprint and facial recognition.  These technologies can enhance the overall customer experience from online booking, registration, check-out, and entering their guest room.”

David P. Vergara, Head of Security Product Marketing, OneSpan:  “No security measures can fully protect against mind-numbingly careless behavior on the part of internal development teams. If, indeed, this breach was tied to unsecured copies of the hotel database being released, hotel customers should be furious and the hotel should be responsible, providing tools/services to protect customers from fraud. In this case, internal training and adoption of best practices from an IT security and development perspective need to be implemented immediately. Additionally, a full assessment of security technologies should be conducted, including the use of MFA.”

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine