China police investigate possible data breach at hotel operator Huazhu Group

Thirteen hotel brands belonging to Huazhu, including Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels (pictured), are said to be involved in the leak.
Thirteen hotel brands belonging to Huazhu, including Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels (pictured), are said to be involved in the leak.PHOTO: FACEBOOK/ GRAND MERCURE HOTEL, HONQQIAO, SHANGHAI

SHANGHAI (REUTERS, CHINA DAILY/ASIA NEWS NETWORK, XINHUA) - Chinese police are investigating a possible leak of client information from one of China’s largest hotel operators, Huazhu Group, after state media said nearly 500 million pieces of customer-related information from the group had emerged in an online post.

Shanghai's Changning District police said, on their official Weibo account late on Tuesday (Aug 28), that they had been alerted to the possible data breach by the company.

Huazhu, which is a public company listed on Nasdaq, operates 18 brands in China including that of French hotel group AccorHotel's Mercure and Ibis hotels. The company's headquarters are in Shanghai's Changning district.

State news agency Xinhua reported on Wednesday that nearly 500 million pieces of information related to the hotel group's customers had emerged on an online post on Tuesday.

The information included 123 million pieces of registration data on Huazhu's official website, such as name, mobile number, ID number and log-in pin; 130 million pieces of check-in records, such as name, ID number, home address and birthday; and 240 million pieces of hotel stay records, such as name, credit card number, mobile number, check-in and check-out time, consumption amount and room number.

Thirteen hotel brands belonging to Huazhu, including Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels, are said to be involved in the leak.

On Tuesday, a post selling private information from Huazhu was rumoured to have appeared on a "dark web" forum, asking for eight bitcoins or 520 Monero, equalling 370,000 yuan (S$74,000).

A post written by user Qu Zilong on microblogging platform Weibo was later reposted by the official account of JDSEC Team, a civil organisation focusing on internet security, detailing the leaked information. Qu said in the post the reliability of the information is relatively high.

Zpower, an intelligence provider on anti-cyber crimes, said the leaked information was real after running a check.

It speculated the leakage may have occurred after Huazhu's programmers uploaded its database connection to GitHub, a web-based software repository hosting service.

Huazhu responded twice on its official Weibo account on Tuesday, saying it had reported the case to the police and hired a professional technology company to verify if the private information sold online was from Huazhu.

It said it could not prove the information for sale is authentic and had started an internal investigation to make sure its clients' information is safe.

Huazhu, established in 2005, manages more than 3,000 hotels in more than 370 cities in China, employing near 70,000 staff members. Its brands cover high-end, midrange and mass markets.

The leakage reflected the hotel company's management and technical problems, said Ma Xiaolong, a professor with the College of Tourism and Service Manangement at Nankai University.

A contract is formed after a consumer pays a hotel lodging fee, so the hotel is obliged to protect the safety of the consumer, including personal security, privacy and information security, Ma said.

China's Law on the Protection of Consumer Rights and Interests stipulates operators should take technical and other measures to safeguard information security, to prevent leaking consumers' private information.