Choice Hotels Data Breach Affects 700,000 Records

US-based hotel chain Choice Hotels has faced ransom demands from hackers, after they reportedly managed to steal more than 700,000 customer records.

The stolen records is said to include names, full addresses, email addresses, and/or phone numbers, and the information was easy pickings for the hackers as the MongoDB instance was reportedly unprotected.

Data breaches of hotel chains are frequent, with Symantec earlier this year reporting that most hotels leak data, after a study found worryingly high levels of hotels leaking customer data.

Choice Hotels

But this latest breach came when Comparitech collaborated with security researcher Bob Diachenko to uncover the unsecured database, which was left exposed and accessible to anyone with an internet connection.

Diachenko immediately notified the company of the exposed 3.8GB MongoDB instance, but it appears malicious actors got to it first.

The hackers left a ransom note demanding 0.4 Bitcoin, or $3,856 as of time of writing.

According to Comparitech, the database held 5.6 million records.

#But Choice Hotels told Comparitech in an email that the majority of records were “test data, not associated with real people.”

Apparently about 700,000 of the records included details of actual guests including names, email addresses, and phone numbers.

The company says the data was hosted on a vendor’s server, and no Choice Hotels servers were accessed. “The vendor was working with the data as part of a proposal to provide a tool” the hotel chain reportedly said.

“We have discussed this matter with the vendor and will not be working with them in the future,” said the hotel chain. “We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”

The MongoDB database was made publicly available with no password or other authentication required to access it for four days, from the end of June.

Diachenko discovered the database on 2 July and immediately notified Choice Hotels about the exposure. The database was secured that same day, but a ransom note had already been left.

Hotel data breaches are common. Last month the US hotel chain Marriot International was said to be facing a potentially hefty financial penalty for a data breach that affected hundreds of millions of people

The Information Commissioner’s Office (ICO) launched its investigation into the “colossal” hack on Marriott International back in December last year. That hack was only discovered in November 2018, but it affected the personal details and payment card data on up to 340 million people dating back to 2014.

Expert views

Security experts were keen to point out that while the data was exposed on a third party website, responsibility for the data rested with Choice Hotels as it was their data.

“Any company which retains user data has a responsibility to protect it in their own systems, but also by enforcing good security practice on suppliers and partners,” explained Jonny Milliken, manager of the research team at Alert Logic. “Users don’t care how the data is lost – they still pay the price”

Another expert acknowledged that this seemed to be another case of human error, but that responsibility rested with the hotel chain.

“This is unfortunately another example of user error where a private database has been left publicly exposed,” said Javvad Malik, security awareness advocate at KnowBe4. “And while Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customers data which was breached and that it has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”

Another expert also agreed that Choice Hotels was responsible.

“Data breaches against sensitive data on MongoDB instances strike again!,” said Jonathan Deveaux, head of enterprise data protection at comforte AG. “Seems like a trend in 2019 where hackers are able to find publically available MongoDBs with no authentication or security required to access. And they are succeeding.”

“Choice Hotels did make a good decision electing to use fake data instead of real data for fields containing sensitive data such as passwords, reservation details, and payment info,” said Deveaux. “This decision resulted in less sensitive data exposed, which limits the damage a hacker could do to the customers whose data was compromised.”

“However, the decision to use real names, email addresses, and phone numbers in the MongoDB, does leave 700,000 customers subject to potentially targeted phishing emails or other scam attempts,” he said.

Do you know all about security? Try our quiz!