Chinese hotel chain’s customer data on Dark Web – 500M records for $50K

When you stay in a hotel, you’re often visiting only temporarily.

You’ll usually be leaving soon – probably going back to your home town, or on to your next destination, which could be in another state or even in another country.

In other words, by the time the hotel realises you’ve drained the minibar, flooded the bathroom and indulged in your rockstar fantasy of flinging the TV out of the window into the swimming pool, you might not only have vanished from their radar but also left their jurisdiction altogether.

So it’s not surprising that hotels want precise and verifiable details about you, including ID, home address and payment card data.

In fact, in many countries – the UK is one of them – hoteliers have effectively been co-opted as field staff for the government’s immigration department, and are legally obliged to collect and hold onto passport data for some or all visitors.

You often have little choice but to hand over the data that’s requested at the reception desk – if you refuse, you might find yourself faced with the prospect of spending the night on the street, in an unfamiliar city, surrounded by your luggage.

As you can imagine, this plethora of hotel check-in data represents a gold mine for cybercrooks, so it’s not surprising that we’ve written about data breaches in the hospitality industry on a number of occasions before.

Most of those breaches affected hotel chains headquartered in the USA, but reports from China – where there are about four times as many people as in America – suggest that the Huazhu hotel chain has suffered a bigger-than-ever-before hospitality breach that potentially affects 130,000,000 people.

These reports are based on claims that stolen data, including information from guests’ IDs, has shown up for sale on the cyberunderground.

According to The Register, the asking price was 8 bitcoins. (On 2018-08-30, bitcoins were worth about US$7000 each.)

What to do?

Even if the crooks only end up with data such as your name, address and phone number, that gives them a good starting point for pretending to be you, whether they’re filling in online forms in your name or making phone calls.

The crooks can also use personally identifiable information (PII) the other way around: instead of convincing someone else that they’re you, they can use PII to convince you that they are acting in some of official capacity when they aren’t.

If a crook knows that your name is N, knows that you stayed in hotel H belonging to chain C on date D, and knows that you had topping T on the pizza you ordered from room service…

…they’re much more likely to be able to trick you into sharing yet more personal data, for example by suggesting you’re entitled to some money back, or you’ve won free nights, or are in a position to claim some other alleged “benefit”.

So, if you’ve stayed at a Huazhu hotel recently and you’re worried:

  • Keep an eye on your financial statements for transactions you didn’t authorise. Flag suspicious activity with your financial institution as soon as you can.
  • Be cautious if you’re contacted by email or phone by someone whose “identity” is based on something they know about you. That proves only what they know, not who they are!
  • Don’t reply or call back using contact details provided by the person who contacted you. Look up web addresses or phone numbers using independent information you already have, such as old statements or letters.

Remember – if in doubt, don’t give it out!