Massive data breach at major hotel chain alleged

Expert says information being sold online for bitcoin appears genuine

Shanghai police said on Wednesday that they are investigating a claim that Huazhu Hotels Group Ltd, one of the country's largest hotel operators listed on the Nasdaq, had experienced a massive data breach.

A post went viral on the internet on Tuesday claiming that nearly 500 million pieces of personal information related to customers had been exposed. The chain has more than 3,000 hotels nationwide.

"The police are still investigating the case, and we cannot tell so far whether the alleged data breach really happened or not, or if it was caused by hackers or a programmer inside the group," said Shen Qian, head of the publicity division of the Changning district public security bureau in Shanghai. Shen confirmed that the police received a report from Huazhu on Tuesday indicating that customer data from the group was being sold on an overseas website.

"The police have cracked down on any illegal behavior used to obtain, purchase, exchange or sell personal information. Any entity or business that holds personal information should strengthen its data protection," the police wrote in a social media post on Tuesday.

According to the post alleging the breach - by Sina Weibo user Qu Zilong, founder of a Chinese organization that focuses on internet security - the leaked information included 123 million pieces of registration information, including names, mobile phone numbers, ID numbers and login pins. There were 130 million pieces of information regarding check-ins, such as names, ID numbers, home addresses and birthdays; and 240 million pieces of hotel stay records, including names, credit card numbers, mobile phone numbers, check-in and checkout times and consumption amounts. The package of information was sold at eight bitcoins, equaling 370,000 yuan ($54,000).

Thirteen hotel brands belonging to Huazhu, including Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels, were said to be involved in the information breach, according to the post.

Qu said in the post that the reliability of the information was relatively high. ZPower, an anti-cybercrime intelligence provider based in Suzhou, Jiangsu province, said after running a check that the leaked information was authentic.

Phone calls to Huazhu went unanswered on Wednesday.

The group responded on its social media account on Tuesday, saying that it had launched an internal investigation and hired a professional technology company to verify the sources of the personal information sold online.

The data breach reflected the hotel group's technical management, said Ma Xiaolong, a professor at the College of Tourism and Service Management of Nankai University in Tianjin.

A contract is formed when a consumer pays a hotel lodging fee, so the hotel is obligated to protect the safety of the consumer, including personal security and private information, he said.

The China Tourist Hotel Association launched an initiative for its members on Wednesday advising them to regularly conduct safety tests to prevent consumers' personal information leakage or loss.

"All the members should also strengthen staff management to prevent illegal behavior, such as selling or leaking such information," the association said.