Someone may have stolen around 700,000 guest records—including names, addresses, emails and phone numbers—belonging to Choice Hotels International, according to Comparitech. The technology website said it collaborated with security researcher Bob Diachenko to uncover the publicly available database.
“Data security is a priority for us,” said a company spokesperson for Choice Hotels International. “Through our investigation, we learned the impacted data was copied by the vendor from our environment without authorization and was being hosted on their server to test a security offering. None of our servers were accessed. While most of the data was fake and not associated with real people, some guest contact information, including names, addresses, phone numbers, and/or email addresses, was included within the data. The records did not contain payment, password or reservation information. We will be notifying affected guests to advise them of what occurred.”
Diachenko first discovered the exposed data on July 2 and immediately notified Choice Hotels, according to Comparitech. The site’s article says the database was first indexed by search engine BinaryEdge on June 30 and secured on July 2.
Diachenko discovered the database with a ransom note asking for 0.4 bitcoin already left in place. As of writing, 0.4 bitcoin converted to somewhere between $4,300 and $4,400. Comparitech’s article said Diachenko theorized an automated script targeting particular databases left the message and was supposed to wipe the database but failed.
The data appears to have been available on the database platform MongoDB. Diachenko has discovered several instances of unprotected data on MongoDB in the past, which he has detailed on his LinkedIn blog.
“Choice Hotels [is] saying that their customer data was exposed through their supplier,” said Elad Shapira, VP of research at Panorays, a third-party security-management company. “This poses the necessary question: who carries the brunt of such breaches—the third party that was hacked or the company that relied on the third party? Past attacks have shown that while the third party suffers from associated breach costs, the company that uses the third party is greatly impacted as well. From brand damage to actual loss of revenue.”
Shapira and SecurityFirst’s CMO Dan Tuchler both noted the role vendors historically have played in data leaks. “In this case, due to the vendor’s poor security practices they will not be hired, so both the hiring company and the vendor have suffered from this breach,” said Tuchler. “This breach also highlights the practice of using live data for testing, putting customer data at risk before the solution is tested and hardened. It’s a common practice and one that frequently leads to bad outcomes.”