PhotoHotel guests at a well-known Chinese hotel chain are now victims of a security breach.

Despite China’s efforts to crack down on cybersecurity, a hacker is now selling the data of 130 million hotel guests for eight Bitcoin ($56,000) on a Chinese Dark Web forum. Chinese media reported the data breach after several cybersecurity groups saw the forum’s ads.

The hacker noted that he got the data from Huazhu Hotels Group Ltd. As one of China’s largest hotel chains, the company operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.

“Those who commit illegal acts, including theft, trading, and exchange of residents’ personal data will be heavily punished,” the Shanghai police said in a statement. “We are resolute in protecting people’s interest and ensuring information safety.”

The hack

Based on the hacker’s description in the ads, the stolen data totals 240 million records -- which is information on approximately 130 million hotel guests -- and is 141.5 GB worth of data.

The following information is what the hacker has sold online: check-in registration information (customer name, ID card number, home address, and birthday), booking information (name, card number, mobile phone number, check-in time, departure time, room number, and hotel ID number), and official website registration information (mobile phone number, email address, login password, and ID card number).

According to the breach, customers at any of Huazhu’s chains were affected by the hack, including: Orange, All Season, Hanting Hotel, Ibis, Manxin, CitiGo, Mercure, Grand Mercure, Haiyou, Starway, Novotel, Joye, and Elan.

A China-based cybersecurity group -- Zibao -- believes the breach occurred when Huazhu developers or programmers uploaded portions of the company’s server to Github earlier this month. The hotel chain has yet to comment on the specifics of the incident, but it has already started an internal investigation and the authorities have been contacted.

Similar problems in China

China has been working to eradicate countless issues regarding cryptocurrency and the buying and selling of items on the dark web. However, the issue continues to plague the country.

The dark web is not indexed by search engines, and sites are able to sell counterfeit money and drugs, among other things -- like people’s personal data.

According to Yin Ran, a Shanghai-based investor in the information technology arena, data breaches are a serious threat to China’s continued digitalisation efforts and are also becoming more and more frequent.

“Strangers would approach us for trading of personal data owned by our portfolio firms,” Ran said. “The potential risks are huge and such illegal behavior must be eradicated to pave the way for further development of digitalised business.”

Chinese artist Deng Yufeng bought the personal data of 340,000 residents in Wuhan on the black market back in April and then displayed them in an art gallery. The authorities promptly put an end to that.


Share your Comments