Huazhu Hotels Group Ltd, a China-based hotel chain, announced this week that Shanghai police arrested the hacker who was selling data on millions of its customers online, on the dark web. The arrest was announced on Monday, September 17, by the hotel group in an investors message, and confirmed two days later by Shanghai police for Chinese media.
Police did not release the man's man, but according to local reports, the hacker is a 30-year-old man named Liu.
Investigators did not reveal any other details about the investigation, but according to previous reports, it appears that Liu may have gotten hold of the hotel chain's data when a developer accidentally uploaded part of its database on GitHub.
The hacker put the Huazhu data up for sale on a dark web hacking forum in mid-August, asking for 8 Bitcoin, which was worth around $56,000, at the time.
The data was sold in three file packages, for a total of 141.5GB. The data trove contained over 500 million records, comprising of 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number; 123 million pieces of registration data recorded on the group's official website such as userID and login pin; and 130 million pieces of check-in data, including birthday and home address.
The Huazhu Hotels Group is one of China's largest hotel chains, operating 5,162 hotels across 13 hotel brands across in 1,119 Chinese cities.
The data sold online was advertised to have originated from customers who stayed at Huazhu's hotel brands, such as Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, and Haiyou.
The hotel chain filed a police complaint on the same day news of the hack broke in Chinese media --August 28.
In its message to investors, the hotel chain said Liu was unsuccessful in selling the stolen data. They also said the hacker attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack.
"To comply with laws and police protocols, the Company cannot disclose additional information on the case at this time," a Huazhu spokesperson said.
These are 2018's biggest hacks, leaks, and data breaches