Data leak from Huazhu Hotels may affect 130 million customers

Leaked information potentially includes 240 million lines of data containing phone numbers, email addresses, bank account numbers, and booking details. Photo credit: iStock / Getty Images Plus

Personal data and booking information from 13 hotels operated by Huazhu Hotels Group reportedly was leaked in what could be the largest data breach in China in five years, according to Chinese cybersecurity company FreeBuf.

Recently, a post on a Chinese dark web forum titled “Huazhu-owned hotels booking data” claimed to be selling personal data and information of customers from Huazhu-owned hotels, including Hanting Inns and Hotels, Hi Inn, and JI Hotel, according to Technode. According to local reports, 130 million customers are believed to be affected by the breach. Leaked information potentially includes 240 million lines of data containing phone numbers, email addresses, bank account numbers and booking details.

The data originally was selling for 8 bitcoins (equivalent to roughly $51,100 U.S.). The seller reportedly lowered its asking price to 1 bitcoin after the news spread quickly across local media.


Like this story? Subscribe to Operations & Technology!

Hospitality professionals turn to Operations & Technology as their go-to source for breaking news on guestrooms, food & beverage, hospitality and technology trends, management and more. Sign up today to get news and updates delivered to your inbox daily and read on the go.

Huazhu Hotels Group released an official statement (in Chinese) saying an internal investigation is underway and the public security bureau is investigating the case. Huazhu is one of China's largest hotel chains, operating more than 3,500 properties across 13 brands, including Ibis and Mercure, reports the BBC.

Data breaches are nothing new for China, but the scale of customer data involved has led to international press attention for the hotel group.

Cyber-security firm Zibao told a local news outlet that it believed the breach was a result of the hotel group's software developers accidentally uploading a database to Github, a service where developers can collaborate.

Earlier this summer, hackers got to hotel booking website FastBooking to install malware and pilfer data, such as names, email addresses, booking information and paymentcard data, from guests at hundreds of hotels. Earlier this year, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards.

Back in 2016, Hyatt disclosed a breach of payment cards that affected 250 hotels in approximately 50 countries, making it one of the most wide-ranging incidents in a rash of hotel cyberattacks. Also that year Hilton, Mandarin Oriental, Trump Hotels and Starwood Hotels & Resorts Worldwide were affected by hacker attacks.

Last year, a data breach at third-party hotel-reservations provider Sabre impacted multiple hotels, including those from Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and RLH CorporationIHG also announced two data breaches last year.

Suggested Articles

Even Hotels, Hampton by Hilton, SureStay Hotels by Best Western and Fairfield by Marriott saw new locations open in the Peach State.

British hotels to adopt ‘points-based’ system for continental holidaymakers, according to Robin Sheppard

Edyn has acquired a site forming part of the University of Cambridge’s development of Eddington, which will become the latest location for its boutiqu