Choice Hotels, a hospitality franchisor based in Maryland that owns chains such as Comfort Inn, MainStay Suites, Econo Lodge and Cambria Hotels, has suffered a cyber incident that exposed 700,000 guest records, including full names, addresses, phone numbers, email addresses and more.
The breach, discovered by independent researcher Bob Diachenko and reported by Comparitech, went undetected for days, allowing the attackers to exfiltrate millions of customer records from an insecure MongoDB database. According to the hotel chain, only 700,000 of the 5.6 million guest records found in the database included the personal data of actual guests – the rest being “test data.”
Via a ransom note, the attackers informed the hotel chain that they had the data. In exchange for not leaking it, they demanded 0.4 Bitcoin, equal to $4,200 at current prices.
Diachenko looked at the ransom note and hypothesized that it was left by an automated script targeting unsecured, public MongoDB databases. He further speculated that the script should have been designed to wipe the data after the attackers collected it, but somehow the mechanism failed to trigger. His theory is in no way verified, however.
Choice Hotels blames its hosting vendor:
“We have discussed this matter with the vendor and will not be working with them in the future,” the company said in a statement. “We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”
Anyone who has recently stayed at Choice Hotels, or any of its franchised locations, is advised to keep close tabs on their inbox for phishing scams. Hackers typically use stolen personal data to craft persuasive cons, including SMS scams, to dupe the unwary into handing over account passwords or even hard cash.