Personal data and booking information from 13 hotels operated by Huazhu Hotels Group reportedly was leaked in what could be the largest data breach in China in five years, according to Chinese cybersecurity company FreeBuf.
Recently, a post on a Chinese dark web forum titled “Huazhu-owned hotels booking data” claimed to be selling personal data and information of customers from Huazhu-owned hotels, including Hanting Inns and Hotels, Hi Inn, and JI Hotel, according to Technode. According to local reports, 130 million customers are believed to be affected by the breach. Leaked information potentially includes 240 million lines of data containing phone numbers, email addresses, bank account numbers and booking details.
The data originally was selling for 8 bitcoins (equivalent to roughly $51,100 U.S.). The seller reportedly lowered its asking price to 1 bitcoin after the news spread quickly across local media.
Huazhu Hotels Group released an official statement (in Chinese) saying an internal investigation is underway and the public security bureau is investigating the case. Huazhu is one of China's largest hotel chains, operating more than 3,500 properties across 13 brands, including Ibis and Mercure, reports the BBC.
Data breaches are nothing new for China, but the scale of customer data involved has led to international press attention for the hotel group.
Cyber-security firm Zibao told a local news outlet that it believed the breach was a result of the hotel group's software developers accidentally uploading a database to Github, a service where developers can collaborate.
Earlier this summer, hackers got to hotel booking website FastBooking to install malware and pilfer data, such as names, email addresses, booking information and paymentcard data, from guests at hundreds of hotels. Earlier this year, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards.
Back in 2016, Hyatt disclosed a breach of payment cards that affected 250 hotels in approximately 50 countries, making it one of the most wide-ranging incidents in a rash of hotel cyberattacks. Also that year Hilton, Mandarin Oriental, Trump Hotels and Starwood Hotels & Resorts Worldwide were affected by hacker attacks.
Last year, a data breach at third-party hotel-reservations provider Sabre impacted multiple hotels, including those from Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and RLH Corporation. IHG also announced two data breaches last year.