How Hotels Leak Guest Details | InfoWatch

You are here

How Hotels Leak Guest Details

Payment details and personal data of hotel customers are honey pies for cyber criminals who therefore break into Wi-Fi networks and booking systems. This is a digest of leaks from hotel chains, prepared by InfoWatch Analytical Center.

In October, Radisson Rewards members were directly informed of the leak of personal information, with names, physical addresses, countries of residence, email addresses, telephone numbers, and Radisson Rewards member numbers being compromised. The hotel chain's advisory suggests that potentially employee accounts, which had permission to access this data, were at fault and fraudulently accessed by an attacker. Radisson Hotel Group has not revealed how many members of the loyalty scheme have been affected, but keep telling that the figure is "less than 10 percent.”

One of the largest data breaches in China history hit Huazhu Hotels Group. A post on a Chinese dark web forum claimed to be selling information of 130 million customers from Huazhu-owned hotels, including names, phone numbers, email addresses, bank card data, and booking details. Supposedly, data leaked through insecure channel during database uploading to GitHub. The stolen data was originally being sold for eight bitcoins (equivalent to roughly $54,000). The seller reportedly lowered its asking price to one bitcoin, after the news spread quickly across local media.

In summer, hackers attacked the servers of Fastbooking that handles reservations for 4,000+ hotels in 40 countries. Prince Hotels (Japan) were among the victims, with cyber criminals pilfering approximately 125,000 personal data records, including names, addresses and payment details.

Hotels with public Wi-Fi networks expose their customers to an extra risk, as it is a channel that hackers like most. Penetrating the network, hackers can steal identity or password for mobile banking log-in. Recently, a Chinese researcher who visited Singapore to attend the conference, decided to highlight the above issue. Living in a Fragrance Hotel, he vividly showed how vulnerable the local Wi-Fi network was, by hacking into the hotel's internet gateway and describing the entire process in his blog. The white hat hacker compromised some confidential data, which could be otherwise used by cyber criminals to perform a serious attack against the hotel. Singapore authorities have fined a Chinese security researcher with SGD 5,000 (USD 3,600) for hacking into a local hotel's Wi-Fi system without authorization.

In the era of cloud storages, human factor is rather often behind confidential data compromising. Hotels and their partners are also the case here. Thus, HBook travel booking system in Brazil left the data of its 430,000+ users unsecured, with order details and credit card numbers being disclosed online.