Personal data and booking information from 13 hotels operated by Huazhu Hotels Group (华住酒店集团) has reportedly been leaked in what could be the largest data breach in China in five years, according to Chinese cybersecurity media FreeBuf (in Chinese).
This morning, a post on a Chinese dark web forum titled “Huazhu-owned hotels booking data” claimed to be selling personal data and information of customers from Huazhu-owned hotels including Hanting Inns and Hotels (汉庭酒店), Hi Inn (海友酒店), and JI Hotel (全季酒店). According to local reports, 130 million customers are believed to be affected by the breach. Leaked information potentially includes 240 million lines of data containing phone numbers, email addresses, bank account numbers, and booking details.
The stolen data was originally selling for 8 bitcoins (equivalent to roughly RMB 350,000). The seller reportedly lowered its asking price to 1 bitcoin, after the news spread quickly across local media.
Huazhu Hotels Group released an official statement (in Chinese) today saying that an internal investigation is underway and the public security bureau is investigating the case. The company currently operates over 3,000 hotels in China and has been ranked the 12th largest hotel group globally.
According to Threat Hunter, a Shenzhen based cybersecurity firm, results of the data verification test indicate the authenticity of the leaked data is “very high.” The company noted that the suspected data breach “may be the most serious personal information leak in the country in five years.”
The central government has sought to crack down on illicit data market, but the occurrence of such massive data leakages doesn’t seem to wane. In April, Chinese artist Deng Yufeng bought personal data of 346,000 Wuhan resident on the black market and exhibited them in an art gallery. It has also been found that customer data and information from food delivery platforms including Ele.me and Baidu were up for sale on Chinese social media platform QQ.