700,000 records belonging to Choice Hotels have reportedly been stolen with hackers demanding payment for their return.
Comparitech, in collaboration with security researcher Bob Diachenko, found an unsecured database containing data belonging to the hotel franchise on July 2, 2019, after the database was indexed by the BinaryEdge search engine.
The MongoDB database was available to the public with no password or authentication in play, leaving a total of 5.6 million records exposed.
According to Choice Hotels, the bulk of the records was only test information, including the payment card, password, and reservation fields; however, 700,000 records were genuine and contained information on guests such as names, email addresses, and phone numbers.
Diachenko made Choice Hotels aware of the security incident on the same day of his discovery. However, someone with less honorable intentions got there first.
While investigating the database, the researcher found a ransom note. The message claimed that 700,000 records had been stolen and backed up elsewhere and demanded 0.4 Bitcoin (BTC), approximately $4,000 at the time of writing, from the owners.
It is possible that the note was placed there by an automated script hunting for public MongoDB databases and the researcher believes that the hackers may have intended to wipe the database after copying the data.
This would have placed serious pressure on the vendor to pay up, but thankfully, the wipe failed.
Database access was closed off on July 2 and it appears the system was exposed for a total of four days. Choice Hotels says the database, while linked to the firm, was operated by a partner vendor and no internal Choice Hotels servers were accessed.
“The vendor was working with the data as part of a proposal to provide a tool,” a Choice Hotels spokesperson said.
Due to the security lapse, the hotel franchise will not be working with the unnamed vendor in question. However, it did take a further nudge by Diachenko on July 28 for the company to commit to launching an investigation.
It is not believed at this stage that any financial information or Social Security numbers were involved in the data breach, but this does not mean the apparent theft could impact customers.
TechRepublic: Why adware and Trojans plague the education industry
The data stolen may end up being used in tailored phishing campaigns, for example, in which names and contact details will be used to make malicious messages appear genuine — either via email or text — for the purpose of grabbing more sensitive and valuable information. Increased levels of spam arriving in guest inboxes are also possible.
“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature,” Choice Hotels told Comparitech. “We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0