Choice Hotels' vendor reportedly leaks 700,000 guest records

The hotel's exterior
Choice Hotels International consists of more than 7,000 hotels, including the Cambria Hotel Charleston (S.C.) Riverview. Photo credit: Choice Hotels International

Someone may have stolen around 700,000 guest records—including names, addresses, emails and phone numbers—belonging to Choice Hotels International, according to Comparitech. The technology website said it collaborated with security researcher Bob Diachenko to uncover the publicly available database.

“Data security is a priority for us,” said a company spokesperson for Choice Hotels International. “Through our investigation, we learned the impacted data was copied by the vendor from our environment without authorization and was being hosted on their server to test a security offering. None of our servers were accessed. While most of the data was fake and not associated with real people, some guest contact information, including names, addresses, phone numbers, and/or email addresses, was included within the data. The records did not contain payment, password or reservation information. We will be notifying affected guests to advise them of what occurred.”

Diachenko first discovered the exposed data on July 2 and immediately notified Choice Hotels, according to Comparitech. The site’s article says the database was first indexed by search engine BinaryEdge on June 30 and secured on July 2.

Virtual Event

Hotel Optimization Part 3 | January 27, 2021

With 2020 behind us and widespread vaccine distribution on the horizon, the second half of the new year is looking up, but for Q1 (and most likely well into Q2) we’re very much still in the thick of what has undeniably been the lowest point of the pandemic. What can you be doing now to power through and set yourself up for a prosperous 2021 and beyond? Join us at Part 3 of Hotel Optimization – A Virtual Event on January 27 from 10am – 1:05pm ET for expert panels focused on getting you back to profitability.

Diachenko discovered the database with a ransom note asking for 0.4 bitcoin already left in place. As of writing, 0.4 bitcoin converted to somewhere between $4,300 and $4,400. Comparitech’s article said Diachenko theorized an automated script targeting particular databases left the message and was supposed to wipe the database but failed.

The data appears to have been available on the database platform MongoDB. Diachenko has discovered several instances of unprotected data on MongoDB in the past, which he has detailed on his LinkedIn blog.

 “Choice Hotels [is] saying that their customer data was exposed through their supplier,” said Elad Shapira, VP of research at Panorays, a third-party security-management company. “This poses the necessary question: who carries the brunt of such breaches—the third party that was hacked or the company that relied on the third party? Past attacks have shown that while the third party suffers from associated breach costs, the company that uses the third party is greatly impacted as well. From brand damage to actual loss of revenue.”

Shapira and SecurityFirst’s CMO Dan Tuchler both noted the role vendors historically have played in data leaks. “In this case, due to the vendor’s poor security practices they will not be hired, so both the hiring company and the vendor have suffered from this breach,” said Tuchler. “This breach also highlights the practice of using live data for testing, putting customer data at risk before the solution is tested and hardened. It’s a common practice and one that frequently leads to bad outcomes.”