Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Police Probe Sale of 130 Million Chinese Hotel-Goers' Data

Hotel Giant Huazhu May Have Accidentally Uploaded Access Credentials to GitHub
Police Probe Sale of 130 Million Chinese Hotel-Goers' Data
Joya Hotel in Dalian, China, operated by Huazhu Hotels Group (Photo: Huazhu)

Police in China are investigating the apparent loss of 130 million customers' personal details from Huazhu Hotels Group. The data exposure may trace to a Huazhu production database for which access credentials were accidentally uploaded to GitHub, the web-based code sharing and development platform.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Publicly traded Huazhu, which is based in Shanghai and listed on NASDAQ, bills itself as being the world's 12th-largest hotel group. The company operates more than 3,000 hotels under 13 brand names - including Joya Hotel, Manxin Hotels & Resorts and Novotel - across more than 350 cities in China. Since 2014, Huazhu has also operated hotels under the French hotel group AccorHotel's brand names, including Mercure, Sobitel and Ibis. In May, Huazhu took a 4.5 percent stake in AccorHotel.

Police in Shanghai have confirmed that they're investigating.

"Those who commit illegal acts including theft, trading and exchange of residents' personal data will be heavily punished," the Shanghai police say in a statement. "We are resolute in protecting people's interest and ensuring information security."

Huazhu on Thursday told Information Security Media Group that it's continuing to assist police with their investigation.

The company on Tuesday issued a statement saying that in the wake of reports that its customer data was for sale online, it "immediately implemented an internal audit to guarantee the safety of our guests' information," as well as "called the police without any delay" and also brought in third-party digital forensic investigation experts "to verify whether the 'relevant personal information' being sold online" had come from the hotel management group.

Huazhu also issued a reminder that selling or disseminating the stolen data online could violate criminal offenses, and said all "network users and platforms involved [should] immediately delete and stop disseminating the information."

For Sale: Hotel Customers' Data

Awareness of the data breach came after a "darknet" - reachable only by using the anonymizing Tor browser - Chinese-language cybercrime forum vendor began advertising the credentials for sale, saying they'd been obtained from a Huazhu database on Aug. 14.

Stolen Huazhu customer data was advertised on a Chinese-language darknet site

The seller set the price for the entire tranche of stolen data at 8 bitcoins, currently worth about $55,500.

According to the stolen database vendor's description, the data set comprises 240 million records and totals 142 GB in size. The stolen information allegedly includes:

  • User account data: 123 million records contain information customers used to register online with hotels, including ID card numbers, mobile phone numbers, email addresses and login passwords, totaling 53 GB of data.
  • Check-in data: 130 million customers' check-in registration information, including their identity card number, home address and birthday, totaling 22 GB of data.
  • Hotel records: 240 million records pertaining to customers' name, room number, mobile phone number, check-in and departure times and records of what they consumed, totaling 66 GB of data.

Security experts have said that Huazhu's development team appears to have accidentally uploaded access credentials for the production database to GitHub, around Aug. 8.

In the wake of those reports, Shanghai-based IT angel investor Yin Ran told South China Morning Post that data breaches are becoming more rampant and posing an increasing risk to Chinese businesses and consumers. "Strangers would approach us for trading of personal data owned by our portfolio firms," Yin said. "The potential risks are huge and such illegal behavior must be eradicated to pave the way for further development of digitalized businesses."

Data Breaches in China

Like the rest of the world, China hasn't been immune to the increasing pace and severity of data breaches, as well as intensifying fears that the buying and selling of people's personal information has been eroding their privacy.

In April, Deng Yufeng, a 32-year-old artist based in Beijing, highlighted the problem by launching an exhibit titled "346,000 Wuhan Citizens' Secrets." Wuhan is the capital of China's Hubei province, from which the artist hails.

Deng's exhibit featured the Wuhan residents' personal details, hung on a wall, partially redacted and only visible using a special light.

Volunteers excise personal information from the exhibit at the Wuhan Art Museum in Wuhan, Hubei province, in April 2018. (Source: Deng Yufeng's Weibo account)

Deng said he was able to acquire the information online, including names, genders, ages, home addresses, phone numbers, license plate numbers, as well as travel and shopping records, for about $800. The artist said he amassed the information over a six-month period via Taobao, an e-commerce platform.

Police shut down the exhibit just two days after it opened and warned Deng that they were investigating him for breaking the law.

Risk of GitHub Data Exposure

Meanwhile, if the Huazhu breach traces to its developers having inadvertently uploaded credentials to GitHub, the hotel chain wouldn't be the first organization to have done so.

Ride-sharing service Uber last November disclosed that around October 2016, an outsider had accessed 57 million accounts of its riders and drivers worldwide, stored in a backup file on Amazon's S3 storage service. Uber's developers had uploaded credentials for the Amazon S3 bucket to a private GitHub site they used (see Pennsylvania Sues Uber Over Late Breach Notification).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.