We uncovered personally identifiable information (PII) stolen from a China-based hotel chain being sold on a deep web forum we were monitoring. Further analysis revealed that the stolen data was not only the PII of Chinese customers, but also included the hotel chain’s customers from Western and East Asian countries. The sample data we saw was unencrypted (in plaintext), some of which were in CSV, SQL, and TXT dumps.
We believe this stolen data is related to the data breach (reported on August 29) that exposed up to 130 million PII. The news that reported the data breach matched with an advertisement we saw in the dark web selling the stolen data for eight bitcoins (equivalent to more than US$58,000 as of September 5, 2018).
The advertisements claimed that the stolen data included names, mobile phone numbers, email addresses, ID numbers, and residential addresses, among others, totaling up to 53GB (about 123 million records). Another set of the stolen data also included customer information such as registered check-in time, customer name, ID number, home address, birthday, and internal ID number. This amounted to 22.3GB (around 130 million ID information).
Another data set (named history.csv) included customer names, room numbers, card numbers, mobile numbers, email addresses, check-in and departure times, and hotel ID numbers. This data set is 66.2GB (around 240 million records). According to the advertisement, these stolen data sets were released on August 14, 2018. Sample data was also available, offered in a compressed 1.37MB file.
Given the seeming profitability of stolen data, this advertisement naturally drew the interest of potential buyers. There is one particular buyer interested in female-only data. Another threat actor (as shown on Figure 3) is selling a vulnerability in a hotel management system; the advertisement also shows the portal’s URL.
The data from the hotel chain is only a portion of what’s being sold in the deep web forum. The following is an example of other stolen data and illicit products we found being sold in the forum:
- Student-, hotel-, and financial investment-related PII. This PII included full names, Alipay accounts, WeChat bills, debit card, and other finance-related data.
- Banking and ID card information; interestingly, this is sold in the form of pictures of people holding the IDs, likely done as proof of identification.
- PII of contestants of a national pageant. The PII included names, physical attributes, and social media accounts.
- Stolen Taiwanese and Brazilian credit card data (payment can be sent to the user’s Steam account).
- PII of residents in Beijing.
- China national passports and other documents.
- Personal pictures of young female users in QQ accounts.
Our various research efforts showed that stolen and leaked PII is a staple offering in many cybercriminal underground marketplaces, which makes data privacy and security a must for organizations. Indeed, the amount and kinds of PII exposed in the breach, along with the sheer volume of stolen data peddled in the dark web forum, highlight the significance of securing all layers of the organization’s online premises — particularly in light of the EU General Data Protection and Regulation (GDPR) and the hefty fines it imposes. Hotels — and especially the hospitality industry — are a prime target as they are considered a goldmine of PII that can be monetized, or, in some cases, abused and misused for other malicious purposes. Organizations storing, processing, and managing sensitive data should enforce more robust data privacy policies and strengthen the security mechanisms in place to deter intrusions, mitigate further exposure of data, and promptly respond to breaches. Users should also practice security hygiene to safeguard personal data against theft and abuse.