3.7 Million Customers Data Of Hilton Hotels Put Up For Sale

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 26, 2023 07:49 am PST

A member of the forum going by the name IntelBroker has offered a database containing the personal information of 3.7 million people participating in the Hilton Hotels Honors program. According to the actor who posed a threat, the data in question includes personally identifying information such as name, address, honors ID, and other similar details. A forum on the dark web has become the venue for the sale of user data belonging to Hilton Hotels.

According to what was written in the post, the user notified all users that he had uploaded the Hilton Hotels Honors 2017 Database for anyone interested in downloading. The actor posing a threat asserts that the data in question contains personally identifiable information (PII), such as names, addresses, and other information relating to a specific person. On the other hand, the hotel group’s spokeswoman categorically rejected any chance of a data breach report.

There is no proof to support the hypothesis that Hilton’s computer systems have been hacked. According to the official who talked to The Cyber Express, we can certify that no guest login credentials, contacts, or financial information may have been leaked. “We are currently conducting a thorough investigation into this report and taking all relevant actions to ensure the continuing security of the information belonging to our Hilton Honors members and guests.”


3.7 Million Users Of Hilton Hotels Honors Program Hacked

The threat actor asserts that the sample was taken from a database including 3.7 million customers who belonged to the Hilton Hotels Honors program and that hackers took the database in January 2023.

Four credit card alternatives are available through the Hilton Honors program; three are for personal use, and the other is for small businesses. American Express is the issuer of each and every one of these cards.

It would indicate that the sample data of Hilton Honors user information that the threat actor gave originated from the Hilton Tucson El Conquistador Golf & Tennis Resort in Arizona, United States of America. The reservations include the dates in June 2017, which lend credence to the assertion made by the potential threat.

The example had information such as the customer’s first and last name, Honors ID, hotel property, city, state, and nation, check-in and check-out details, room type code, and other relevant information.

Previous Data Breaches At Hilton Hotels

Hilton Worldwide reported in November 2015 a data breach that had occurred between 2014 and 2015 and had affected an unknown number of hotels, customers, and payment cards. The breach occurred between 2014 and 2015.

In September 2015, a writer specializing in security Brian Krebs published an article regarding the hack at Hilton. Despite this, the Hotel group persisted for several months in denying they had any knowledge of the security breach before finally admitting that the incident had occurred.

After this, the company stated that unauthorized malware had targeted payment card information in specific point-of-sale systems.

In March of 2015, Krebs sounded the alarm on the Honors program at Hilton Hotels. Members of the Hilton Honors Awards program who consented to change their passwords for the online service before April 1, 2015, were eligible to receive 1,000 free award points from the firm during that time period.

Despite security investigators Brandon Potter and JB Snyder tracking this campaign. They discovered an error in the website that allowed just about anybody to take hold of a Hilton Hotels Honors account by either knowing or trying to guess its valid 9-digit account number.

This was possible because the website contained a flaw that allowed unauthorized users to post comments. Due to this security vulnerability, the account could be taken over by anyone who knew or guessed the correct security code.

Krebs stated in March 2015 that the researchers could enter into a Hilton Hotels Honors account and take over any other account with just the number on the account by changing the site’s HTML code and reloading the page.

Ways Hotels Can Stay Safe From Cyberattacks

Hackers target hotels because they collect so much user data. The following listed below are some of the most significant ways in which these big industry hotels can equip themselves from cyberattacks and threats.

1. Provide Training and Authorization for Every Member of the Staff

Employees of hospitality firms need to receive training on the most current and effective cybersecurity best practices. Employees are required to maintain an up-to-date knowledge of best practices and should be made aware of any attempted cyberattacks as soon as they occur. The physical and digital security of the hotel is the collective responsibility of the entire front desk and housekeeping personnel.

2. Improve the infrastructure of the network

Hotels’ computer systems should be patched and updated as frequently as feasible to reduce the risks attached to potential security breaches. Specifically, hotels should focus their uttermost emphasis on repairing and updating their POS systems. This is especially important. Hackers can take advantage of a system’s vulnerabilities by attacking networks that have not had their patches installed. 

3. Determine the level of security offered by different vendors

A significant number of cyberattacks are carried out by utilizing the services of third-party suppliers. The attack surface of any organization includes third-party providers, who represent a significant threat to the system’s integrity and overall safety. It is the responsibility of the hotel’s security teams to guarantee that all of the hotel’s vendors satisfy a certain compliance level and to conduct frequent risk assessments of the hotel’s partners and vendors.

4. Conduct Internal Threat Hunting Research and Analysis

As a result of the many various types of software and hardware they employ, hotels leave behind enormous digital footprints. Hackers will frequently attempt to break into a network and then navigate the system to locate data they deem valuable. Consequently, security teams must monitor the traffic on their own internal networks to detect malicious activities and locate potentially illegal access.

5. Keep an eye out for any cyberattacks that come from outside the wire.

Monitoring for potential dangers within a business is an essential part of the jigsaw. Still, security staff also need to be proactive in scanning the outside world for potential dangers to their companies. Monitoring potential outside threats can help prevent and stop attacks before they happen.

6. Create a plan for handling unexpected events.

In the event that a data breach does take place, every hotel ought to have an incident response plan ready and waiting in order to facilitate the streamlining of the communication and mitigation process. Hotel security teams can only afford to do something other than wait around for attacks to occur. They need to operate under the assumption of being targeted and draw out a plan of what could happen.


On Monday, hackers claimed they were responsible for the theft of a database that contained information from customers who were enrolled in the Hilton Hotel Honors program the previous year. The information that is stored in the database includes not only people’s names but also their Honors IDs and their Honors Tiers, in addition to more granular information on bookings such as check-in dates and more. After thieves claimed to have broken into the company’s networks and taken data related to 3.7 million customers, the hotel chain Hilton denied that it had been hacked. A spokeswoman for Hilton confirmed to The Record that the company is looking into the allegations, even though they do not believe they have been hacked.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Julia O’Toole
Julia O’Toole , Founder and CEO
Industry Leader
January 30, 2023 2:09 pm

“Hilton has so far denied any claims of a breach, so it is not yet clear what this data relates to. However, with the threat actor claiming the breach took place in January 2023, if Hilton does discover the claims are legitimate, it is crucial they determine how the attackers gained access and take steps to prevent future breaches. 


The two main causes of security breaches are often compromised employee credentials or vulnerabilities being exploited. To protect against the first type of attacks, which involve credentials, access segmentation and encryption is the best defense. 


By segmenting network access and using strong encrypted passwords to lock digital doors, it would take attackers trillions of years to find the password of every door. And if they manage to gain access through a supply-chain attack, whether through a vulnerability exploit or a phished password, they would be unable to move within the network as all doors are locked individually with their own unique encrypted password. This limits the amount of data that can be lost in a single attack and stops large-scale data breaches and ransomware attacks.


Additionally, by encrypting user passwords, employees are protected from social engineering and phishing attacks, and security is less exposed to the behaviour of their employees.”

Last edited 8 months ago by Julia O’Toole
Erfan Shadabi
Erfan Shadabi , Cybersecurity Expert
InfoSec Expert
January 29, 2023 7:41 am

The leisure and travel industry is particularly vulnerable to targeted cybersecurity attacks. The data leak affecting Hilton Hotels demonstrates this fact, involving the records of nearly 500,000 Honors Members. Threat actors know that these industries collect and retain an enormous amount of personal and private data from their customers, so they are viewed as a potential gold mine worth attacking. Every business in this industry should embrace that fact and assume that a sustained attack is just a matter of time.
While the lingering effects of the pandemic are still wearing on the travel industry, its ongoing recovery must be accompanied by a firm commitment to data privacy and data security. Protecting customer data doesn’t just mean just guarding it with strong perimeters around data repositories containing data at rest. It also means applying protection directly to the data itself. Data-centric security methods such as tokenization and format-preserving encryption obfuscate sensitive data elements while enabling organizations to work with data in its protected state. A multi-pronged defensive strategy incorporating both traditional controls as well as data-centric protections is the right course of action for the business, and the right thing to do for customers.

Last edited 8 months ago by Erfan Shadabi

Recent Posts

Would love your thoughts, please comment.x