Choice Hotels: If a + b + c = d, then oops, we might have leaked some Safari users" personal info

Choice Hotels has advised its customers to watch out for fraud after an extremely specific security lapse may have compromised their personal data.

In a notice to customers, the hospitality franchise says the lapse requires numerous specific factors to come together to present a threat. In fact, the circumstances that could lead to a leak are so specific that it probably only affects a handful of customers. However, as one of the world”s biggest hotels chains, Choice serves many EU residents and is obliged under the Union”s new data protection legislature – mainly the GDPR – to issue a formal notice if it has even the slightest doubts about the safety of its customers” data. Readers can find the relevant excerpt from the Choice Hotels advisory below:

Choice recently learned of a technical issue that only occurred in a specific circumstance. The cause of the issue has been addressed. The issue involved information entered by a visitor to Choice”s website being inadvertently accessible to third parties, with whom Choice has a business relationship, when the visitor”s web browser crashed while on the site. Choice uses technology to track activities that occur on its website (e.g., cookies), and that technology sends data to companies that provide services to Choice. For visitors to Choice”s website who used the Safari web browser, if Safari crashed and restarted, Safari would put information that had been typed by the visitor on the page into the website address for that page. Tracking technology reads the website address of pages on Choice”s website and sends the data to third parties. Except in a Safari crash circumstance, the page address does not contain information entered by visitors. We believe this occurred because of how the code for Safari was written.

This specific issue occurred approximately 88,000 times from June 2015 through November 12, 2019. Choice identified the guest reservations involved that occurred since April 2016 and has sent emails to those guests. We believe that this scenario occurred very infrequently from June 2015 – March 2016 (likely less than 25 times), but we do not have information available to identify the specific guests so we are issuing a press release and posting this notice to notify those guests.

Any readers who may have found themselves in these very specific circumstances are entitled to know that IF their data somehow got into the wrong hands, the data may include: the name of the person making the reservation, email address, state, zip code, country code, and the number and expiration date of the payment card used to make the reservation. Choice says that, for any users making a reservation using a mixture of points and payment, “the external verification value on the card” (i.e. CVV/CVC security code) may have also been leaked.

The advisory was, in fact, published in late November but was only picked up by the media this week. It”s not impossible that some customers find themselves affected at some point. However, Choice claims it has contacted every relevant third party that might have received the data and demanded they delete it.

Considering this was not a targeted cyber-attack and the data wasn”t actually leaked on the open internet, there should be no reason to believe the data has made it into the wrong hands. Choice nonetheless advises affected customers to keep a close eye on their bank statements and to avoid falling into phishing traps, or any suspicious / unsolicited emails or SMS messages.

Since identifying this highly-specific scenario, Choice has tweaked its website”s code to override how Safari responds in the event of a crash. Starting November 12 – when the flaw was patched – anyone making their first reservation with Choice through a Safari web browser should no longer be affected.