Personal Data of 130 Million Chinese Hotel Guests for Sale on the Darknet
A hacker is selling the personal data of over 130 million hotel guests on a Chinese underground forum for 8 bitcoins (about $56,000), according to cybersecurity company Zibao. The stolen data reportedly includes 240 million records related to guests of one of Chinaβs largest hotel chains.
Details of the Data Breach
The hacker claims to have obtained the data from Huazhu Hotels Group Ltd, a major hotel operator in China that manages 13 hotel brands with 5,162 hotels across 1,191 cities. The data dump is said to be around 141.5 GB in size and contains 240 million records about 130 million Huazhu hotel guests.
The information for each guest includes:
- Official registration details from the website (ID number, mobile phone number, email, login, and password)
- Registration details from the hotel itself (full name, ID number, home address, date of birth)
- Booking information (full name, card number, mobile phone number, check-in and check-out dates, internal hotel ID, room number)
Company Response and Investigation
Huazhu representatives have already released an official statement, which does not provide details about the breach but confirms that an investigation is underway and that law enforcement agencies are involved.
Experts from Zibao have stated that they were able to verify the authenticity of the data being sold and confirmed it is genuine. Researchers believe the leak occurred earlier this month and attribute the incident to Huazhu employees. According to Zibao, someone from the company accidentally uploaded copies of internal databases to GitHub, making them accessible to outsiders.