The leak stemmed from an unsecured database, which was unfortunately discovered by hackers first. The unsecured database was most recently discovered by Comparitech and security researcher Bob Diachenko.
The database that was left online and unsecured for four days contained 5.7 million Choice Hotel records, but Choice Hotels said the majority of records were “test data, not associated with real people.” However, roughly 700,000 of the records included guest information such as names, email addresses, and phone numbers.
"The records did not contain payment, password or reservation information," a spokesperson for Choice Hotels said in a statement. "We will be notifying affected guests to advise them of what occurred."
Hackers requested ransom
The malicious actors who initially discovered the unsecured database left a ransom note, which said the database had already been downloaded. The cyber thieves asked for .4 of a Bitcoin (around $4,000) to turn over the data. The owners of the hotel chain said the ransom attempt was “not successful.”
Choice Hotels says it’s continuing to investigate the data leak and will no longer be working with the vendor who hosted its data.
“We have discussed this matter with the vendor and will not be working with them in the future. We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature,” the company told Comparitech. “We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”