Choice Hotel Data Breach Affects up To 700,000 Customers
Recently, an independent researcher named Bob Diachenko worked collaboratively with Comparitech. They discovered an unsecured database containing nearly 700,000 hotel records belonging to Choice Hotels. Unfortunately, although Diachenko reported his finding to the company, hackers had beaten him to the punch and had already downloaded the file. They are now demanding a ransom for its return.
An investigation into the matter is ongoing. A spokesman for Choice Hotels reported that the bulk of the file consisted of test information, including dummy payment card numbers, passwords and populated reservation fields. They did confirm, however, the presence of some 700,000 genuine guest records and included names, addresses and phone numbers.
The hackers left a ransom note in the database, demanding 0.4 Bitcoin for the safe return of the data. Based on recent prices, that amounts to about $4,000. Assuming the company decides to pay and assuming the hackers keep their word, that is a small price to pay given the number of compromised records.
Choice Hotels reported that the database was exposed when a third-party vendor accessed it as part of a proposal to provide a tool. Due to the lapse in security, Choice Hotels has decided not to work with that vendor again.
Their announcement about the incident reads, in part, as follows:
"We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature... We are also establishing a Responsible Disclosure Program and we welcome Mr. Diachenko's assistance in helping us identify any gaps."
This lukewarm response to the incident has done little to ease the concerns of Choice Hotels' customers. To this point, no notifications have been sent out to customers whose data has been compromised. If you stay at Choice Hotels when you travel, be mindful that you may be receiving targeted phishing emails and that your payment card information may have been compromised.