Chinese police are investigating a possible breach at a major hotel group which could have affected over 100 million customers.
Shanghai's Changning District police confirmed on Tuesday it was called out by Huazhu Group which operates more than 3000 hotels in hundreds of cities, running 18 brands domestically including foreign chains Mercure and Ibis hotels.
The incident came to light after a dark web vendor put data allegedly stolen from the group up for sale for eight Bitcoins ($55,600).
State media claimed that 500 million records were stolen. These reportedly included 123 million registration details including names, mobile numbers and ID numbers; 130 million check-in records including names, addresses and birth dates and 240 million hotel stay records including card and mobile numbers.
Cybersecurity intelligence firm Zibao reportedly suggested the breach may have happened when the hotel’s developers uploaded a database to GitHub.
Andy Norton, director of threat intelligence at Lastline, speculated that the hackers in this case may not be experienced.
"It looks like human error is to blame for this breach. It also looks like the threat actors selling the data don't have the contacts or infrastructure to monetize the stolen IDs individually,” he explained. “It could be that speculative Google dorking resulted in a script kiddie holding this data and trying to sell it.”
Tim Mackey, technical evangelist at Synopsys, added that if the GitHub rumors are true the hack appears to be in the same opportunistic mold as last year's Uber breach.
“Development teams using public source code systems like GitHub and public continuous integration (CI) systems like Travis-CI need to recognize that any developer activity which causes a push to a public repository or a public branch can be viewed by others,” he said.
“The increasing popularity of hosted development tools like GitHub, Jira and Travis-CI make them ideal sources of information for malicious actors.”
If there are any EU citizens' data amongst the trove it will also be interesting to see how China reacts to a possible GDPR investigation.