Chinese police arrest hacker who sold data of millions of hotel guests on the dark web

Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data.
Written by Catalin Cimpanu, Contributor

Huazhu Hotels Group Ltd, a China-based hotel chain, announced this week that Shanghai police arrested the hacker who was selling data on millions of its customers online, on the dark web. The arrest was announced on Monday, September 17, by the hotel group in an investors message, and confirmed two days later by Shanghai police for Chinese media.

Police did not release the man's man, but according to local reports, the hacker is a 30-year-old man named Liu.

TechRepublic: Jackpotting cyberattack hits US, forces ATMs to spit out money for hackers

Investigators did not reveal any other details about the investigation, but according to previous reports, it appears that Liu may have gotten hold of the hotel chain's data when a developer accidentally uploaded part of its database on GitHub.

The hacker put the Huazhu data up for sale on a dark web hacking forum in mid-August, asking for 8 Bitcoin, which was worth around $56,000, at the time.

The data was sold in three file packages, for a total of 141.5GB. The data trove contained over 500 million records, comprising of 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number; 123 million pieces of registration data recorded on the group's official website such as userID and login pin; and 130 million pieces of check-in data, including birthday and home address.


China hotel data sold on the dark web

Image: Weibo

CNET: Forget debit cards. This is how you'll use your phone at the ATM

The Huazhu Hotels Group is one of China's largest hotel chains, operating 5,162 hotels across 13 hotel brands across in 1,119 Chinese cities.

The data sold online was advertised to have originated from customers who stayed at Huazhu's hotel brands, such as Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, and Haiyou.

The hotel chain filed a police complaint on the same day news of the hack broke in Chinese media --August 28.

Also: Hackers swipe card numbers from local government payment portals

In its message to investors, the hotel chain said Liu was unsuccessful in selling the stolen data. They also said the hacker attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack.

"To comply with laws and police protocols, the Company cannot disclose additional information on the case at this time," a Huazhu spokesperson said.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards