Indian Hotels Probes Alleged Customer Data Breach1.5 Million Customers' Details Stolen From Taj Hotel Chain, Attacker Claims
Hospitality giant Indian Hotels said it's probing the alleged theft of sensitive data from its systems after a criminal claimed to have stolen data pertaining to 1.5 million customers.
The criminal, who uses the moniker "dnacookes," recently announced the theft in a post to the English-language cybercrime forum BreachForums. They claim they stole the data in 2020 and that it includes personal details, including name, email address, phone number, birthdate and address, for 1.5 million customers of the high-end Taj Hotels chain from 2014 through 2020.
Owned by Indian Hotels - aka IHCL - Taj properties include The Pierre in New York, and in India, the Taj Lake Palace in Udaipur and the Taj Mahal Palace in Mumbai.
Indian Hotels Company runs 263 hotels under not just the Taj but also the SeleQtions, Vivanta and Ginger brand names. The business reported $359 million in revenue for the first half of this year, up 18% for the same time last year.
Reached for comment, an IHCL spokesperson told Information Security Media Group that the hotel chain is aware of the criminal's data theft claims and is investigating them with help from law enforcement. The business has yet to confirm any breach of its systems or if the information might have been stolen from a third party.
Hotels in Hackers' Crosshairs
Hotels remain a top target for hackers on account of the valuable data they store, pertaining not just to people but also payment cards. Verizon's most recent Data Breach Investigations Report estimates that hackers target payment card data in 40% of all cyber incidents involving the accommodation and food service sectors.
Earlier this month, Marina Bay Sands, one of Singapore's best-known luxury resorts, reported discovering a breach on Oct. 20 that led to the theft of personal information pertaining to 665,000 of its Sands LifeStyle loyalty program members. Stolen details included names, email addresses, phone numbers and membership details.
Two other attacks recently hit some of the world's biggest hotel and casino operators based in Las Vegas. The BlackCat ransomware group, aka Alphv, appears to have targeted Caesars in late August and MGM Resorts in early September. Caesars paid attackers a ransom that was reportedly worth about half of the extortionists' initial $30 million demand.
MGM Resorts appeared to pay no ransom. After detecting the attack on Sept. 10 and suffering widespread disruption of systems, the company reverted to pen-and-paper processes, and its booking and reservation systems remained offline for weeks. The attack also led to customers being unable to use ATMs, hotel room door lock key cards and many slot machines.
MGM Resorts said the attack cost $110 million in lost revenue and mitigation expenses, which it expects to fully recoup via cyber insurance.