Skip to main content

Choice Hotel Data Breach Affects up To 700,000 Customers

By August 29, 2019May 16th, 2022Cybersecurity

Recently, an independent researcher named Bob Diachenko worked collaboratively with Comparitech. They discovered an unsecured database containing nearly 700,000 hotel records belonging to Choice Hotels.  Unfortunately, although Diachenko reported his finding to the company, hackers had beaten him to the punch and had already downloaded the file. They are now demanding a ransom for its return.

An investigation into the matter is ongoing. A spokesman for Choice Hotels reported that the bulk of the file consisted of test information, including dummy payment card numbers, passwords and populated reservation fields.  They did confirm, however, the presence of some 700,000 genuine guest records and included names, addresses and phone numbers.

The hackers left a ransom note in the database, demanding 0.4 Bitcoin for the safe return of the data.  Based on recent prices, that amounts to about $4,000. Assuming the company decides to pay and assuming the hackers keep their word, that is a small price to pay given the number of compromised records.

Choice Hotels reported that the database was exposed when a third-party vendor accessed it as part of a proposal to provide a tool.  Due to the lapse in security, Choice Hotels has decided not to work with that vendor again.

Their announcement about the incident reads, in part, as follows:

“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature… We are also establishing a Responsible Disclosure Program and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”

This lukewarm response to the incident has done little to ease the concerns of Choice Hotels’ customers. To this point, no notifications have been sent out to customers whose data has been compromised.  If you stay at Choice Hotels when you travel, be mindful that you may be receiving targeted phishing emails and that your payment card information may have been compromised.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.