Choice Hotels notifies guests of accidental data disclosure

Choice Hotels International has taken steps to address and notify guests of an issue involving inadvertent disclosure of certain guest information to third parties with whom Choice has business relationships. 

Choice recently learned of a technical issue that occurred only in a specific circumstance. The issue involved information entered by a visitor to Choice’s website being inadvertently accessible to third parties with whom Choice has a business relationship when the visitor’s web browser crashed while on the site. Choice uses technology to track activities that occur on its website (e.g., cookies), and that technology sends data to companies that provide services to Choice. 

For visitors to Choice’s website who used the Safari web browser, if Safari crashed and restarted, Safari would put information that had been typed by the visitor on the page into the website address for that page. Tracking technology reads the website address of pages on Choice’s website and sends the data to third parties. Except in a Safari crash circumstance, the page address does not contain information entered by visitors. Choice said it believes this occurred because of how the code for Safari was written.

This specific issue occurred approximately 88,000 times from June 2015 through Nov. 12, 2019. Choice has identified the guest reservations involved that occurred since April 2016 and has sent emails to those guests. 

“We believe that this scenario occurred very infrequently from June 2015 – March 2016 (likely less than 25 times), but we do not have information available to identify the specific guests so we are issuing a press release and posting this notice to notify those guests,” the company said in a statement.

If a visitor to Choice’s website was using Safari and on the reservation page, the information that had been typed in fields on that page that could have been put in the website address when the browser restarted after a crash may include the name of the person making the reservation, email address, state, zip code, country code, and the number and expiration date of the payment card used to make the reservation.

"We are notifying you because this scenario occurred when you were making a reservation," Choice said in a statement. "If you were making a reservation using a mixture of points and payment, the external verification value on the card may have also been in the website address."

“As soon as we identified the scenario that caused this on Nov. 12, 2019, Choice made changes to the code that operates our website to override how Safari responds after a crash,” Choice said in a statement. “We are also contacting the third-party companies we work with to ask them to delete any data they may have.”

Earlier this year, someone stole around 700,000 guest records—including names, addresses, emails and phone numbers—belonging to Choice Hotels International, according to Comparitech. The technology website said it collaborated with security researcher Bob Diachenko to uncover the publicly available database.

For more information, visit www.choicehotels.com/about/browser-crash-incident.