Chinese police investigating major security breach of hotel group

Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.
Written by Eileen Yu, Senior Contributing Editor

Chinese hotel group Huazhu Group has reportedly suffered a security breach that compromised 500 million pieces of customer data, including that of 150 million accounts currently on sale in the dark web.

The chain is one of China's largest, encompassing more than 3,900 hotels across 370 cities in the country. As of June 30, 2018, Huazhu's customer loyalty programme had 113 million members who accounted for 75 percent of room nights booked in the second quarter of this year. Established in 2005, the company is listed on Nasdaq.

Information leaked in the breach comprised 240 million pieces of content related to hotel stay such as name, credit card details, and mobile number, as well as 123 million pieces of registration data recorded on the group's official website such as userID and login pin. Another 130 million pieces of check-in data was leaked, including birthday and home address, according to state-run media China Daily.

Some 13 hotel brands affected in the breach included Crystal Orange Hotel, VUE, and Grand Mercure Hotel. The group reported the incident to the Shanghai police on Tuesday.

Customer data compromised in the security breach popped up for sale on the dark web, reportedly for 8 Bitcoins, or the current equivalent of US$56,158. An advertisement touting the sale offered 141.5GB of data.

The Shanghai police said in a statement that anyone caught illegally trading or exchanging personal data would be "heavily punished".

Local reports also suggested the breach could have occurred in early-August when Huazhu's engineers uploaded programming details to software repository and development platform, GitHub.

Huazhu said via its official Sina Weibo account that it had engaged an external security firm to verify if data sold online was indeed its customers' and an internal investigation had been launched to ensure customer data was secure.

Editorial standards