Hackers claim to have stolen 700,000 guest records belonging to Choice Hotels, one of the largest hotel chains in the world. Security researcher Bob Diachenko discovered the unsecured database, which was left exposed and accessible to anyone with an internet connection.
Diachenko immediately notified the company of the exposed MongoDB instance, but it appears malicious actors got to it first. The hackers apparently stole and demanded ransom for more than 700,000 customer records belonging to major hotel franchisor Choice Hotels, including names, addresses, payment records, email addresses, and phone numbers.
The company says the data was hosted on a vendor’s server, and no Choice Hotels servers were accessed. “The vendor was working with the data as part of a proposal to provide a tool”.
Consumer privacy (or the lack thereof) is a huge societal concern and is manifesting itself through many forms, including regulation like the California Consumer Privacy Act and General Data Protection Regulation. The data stolen from Choice Hotels stands as another stark reminder that consumers are right to fear for their privacy until companies recognize their responsibility and invest in people, processes, and tools that can ensure they identify and remediate risk before it can be exploited.
Hotels collect highly sensitive information on their guests including copies of passports/IDs, payment information, names, phone numbers, email addresses and more. As such, cyberattacks aimed at hospitality organizations are on the rise. In the past year, we’ve seen multiple hotel giants suffer from data breaches, such as Marriott’s Starwood Hotels and Pyramid Hotel Group.
The data stolen from Choice Hotels in this incident could be used by cyber criminals to launch sophisticated phishing attacks aimed at the guests’ whose information was compromised, potentially prompting them to unknowingly provide even more sensitive information to the hackers. Most of these breaches are caused by misconfigurations that are exploited by an attacker, and many are from cloud misconfigurations. To prevent misconfigurations and protect against data leakage, companies should employ automated cloud security solutions that continuously monitor cloud environments for proper security controls and can even trigger automated remediation in real time in the event of a misconfiguration.
Due to a database being left unsecured for four days, cybercriminals have reportedly gained access to information of 700,000 Choice Hotels customers. The database contained personally identifiable information including names, emails address and phone numbers, which leaves these impacted individuals vulnerable to further phishing attacks and fraud.
Cybercriminals are continuously looking for gaps in security defenses and overlooked basic security misconfigurations (like a database being left without a password), to turn a quick profit. Therefore, companies must take a more proactive approach to cybersecurity. Continuously testing the efficacy of security controls is critical to ensuring any vulnerabilities are quickly identified and remediated, and to ensure that tools are actually functioning as expected.
There are 3 pillars of information security – people, process and technology and, unfortunately, this is yet another example of a breach that occurred because of a simple security mistake. Leaving a database publicly accessible without even basic security such as password protection is inexcusable. When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected. Organisations must take the proper cloud security steps, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their database, maintain compliance with regulations, and protect the sensitive consumer data that they have been entrusted with.
Any company which retains user data has a responsibility to protect it in their own systems, but also by enforcing good security practice on suppliers and partners. Users don’t care how the data is lost – they still pay the price.
This breach is a great example of the significant – and often underestimated – security risk that third party vendors present. The actions of any person or entity who can access your most critical systems and applications should be monitored. That can be done with modern machine learning algorithms that compare current behaviour of all users, including third parties, to baselined “normal” behaviour. By doing so, organisations can identify anomalous trends and spot outliers to remediate threats.