News that 500 million pieces of client information were leaked from Huazhu Hotels Group Ltd went viral on social media Tuesday. Huazhu said it had reported the alleged leak to the police, Beijing Youth Daily reported.
The information include 123 million pieces of registration data on Huazhu's official website, such as name, mobile number, ID number and log-in pin; 130 million pieces of check-in records, such as name, ID number, home address and birthday; and 240 million pieces of hotel stay records, such as name, credit card number, mobile number, check-in and check-out time, consumption amount and room number.
Thirteen hotel brands belonging to Huazhu, including Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels, are said to be involved in the leak.
On Tuesday, a post selling private information from Huazhu was rumored to have appeared on a "dark web" forum, asking for eight bitcoins or 520 Monero, equaling 370,000 yuan (about $54,306). Later, a Sina Weibo user called Qu Zilong wrote a post, later reposted by the official account of JDSEC TEAM, a civil organization focusing on internet security, detailing the leaked information. Qu said in the post the reliability of the information is relatively high.
Zpower, an intelligence provider on anti-cyber crimes, said the leaked information was real after running a check. It's speculated the leakage may have occurred after Huazhu's programmers uploaded its database connection to GitHub, a web-based software repository hosting service.
Huazhu responded twice on its official Sina Weibo account on Tuesday, saying it had reported the case to the police and hired a professional technology company to verify if the private information sold online was from Huazhu. It said it couldn't prove the information for sale is authentic and had started an internal investigation to make sure its clients' information is safe.
Shanghai police confirmed it had received Huazhu's report and was investigating the case.
Huazhu, established in 2005, manages more than 3,000 hotels in more than 370 cities in China, employing near 70,000 staff members. Its brands cover high-end, midrange and mass markets.
The leakage reflected the hotel company's management and technical problems, said Ma Xiaolong, a professor with the College of Tourism and Service Manangement at Nankai University.
A contract is formed after a consumer pays a hotel lodging fee, so the hotel is obliged to protect the safety of the consumer, including personal security, privacy and information security, Ma said.
The Law on the Protection of Consumer Rights and Interests stipulates operators should take technical and other measures to safeguard information security, to prevent leaking consumers' private information.