Local authorities are currently investigating a data breach at a Chinese hotel group that could have exposed customers' personal information.
Huazhu Hotels Group headquarters (Source: Wikipedia)
According to the Xinhua state news agency
, Shanghai police launched an investigation into a data security incident involving Chinese hotel management company Huazhu Hotels Group Ltd.
A report from Beijing News
reveals that the trouble started on 28 August when a post surfaced on the dark web. The post, which sold for eight Bitcoins (approximately $55,330 at the time of publication), claimed to contain the ID card information and registration information of 130 million people who had previously stayed at one of Huazhu's company brand locations. It also allegedly consisted of 363 million additional data records pertaining to the hotel's registration systems.
As of this writing, Huazhu is working to verify whether the leaked information originated from its systems.
Security firm Zibao analyzed the incident and determined that the dark web post consisted of new information and not details disclosed in previous data breaches. The company also found that the breach apparently resulted from a Huazhu programmer accidentally uploading a company database to GitHub, reported BBC News
The Chinese hotel group reported the incident to local law enforcement, which is looking into the matter with the help of hired forensic experts.
Huazhu, which was created in 2005, operates more than 3,000 hotels in more than than 370 Chinese cities and employs more than 70,000 people. The hotel group is therefore much larger than both Hyatt Hotels, a Chicago-based hospitality company which suffered a 2015 breach that affected 250 hotels in 50 countries
, and Starwood, a hospitality chain which experienced a point-of-sale (POS) breach between November 2014 and May 2015 at 50 of its North American locations
These incidents highlight the importance of retail and hospitality organizations taking steps to strengthen their digital security against breaches, both malicious and accidental. Learn how Tripwire's solutions can help in this regard here