
Choice Hotels Suffers Data Breach, Exposing 700k Customer Records - neogodless
https://www.securitymagazine.com/articles/90733-choice-hotels-suffers-data-breach-exposing-700000-customer-records
======
rvz
The article by the OP is slightly vague about the details of the breach. This
one goes into more detail: [https://www.comparitech.com/blog/vpn-
privacy/choice-hotels-d...](https://www.comparitech.com/blog/vpn-
privacy/choice-hotels-data-leak/)

But after reading the details, the whole situation looked nothing more than a
straight-forward search on SHODAN.io for exposed DBs. A 'ransom' of $4,000 for
700k users is cheap to Choice Hotels compared to the others I've seen
demanding $1M+ for the same number of users.

> The MongoDB database was made publicly available with no password or other
> authentication required to access it.

> The database was left exposed for four days.

Classic.

~~~
neogodless
Thanks - this is a much better article!

------
newguy1234
Anyone know if there is going to be a class action lawsuit started? I am a
victim of this breach as I stayed at choice hotels in the past. My personal
information was most likely leaked in this compromise. It is unacceptable that
retailers collect our driver's license and personal information when staying
at their property and then have the never to store it in their database after
the reservation has been completed, especially when the room was inspected by
house keeping and noted to have no issues. The personal information should be
deleted!

~~~
kijeda
700,000 records from a chain with 7,000 hotels, per the article. How do you
know you're a victim of this breach? Assuming each hotel on average probably
has occupancy of at least 100 rooms, it could account for just a single day of
reservations across their organization.

In short, it seems too early to assume if you've ever stayed at a hotel you
are a victim.

~~~
neogodless
They sent me an email around 7:15 PM EST today. Lucky for me, that this is
still active and monitored. But I don't think I used that (particular) email
recently, and I can imagine for some, they won't get the same notification.

------
RcouF1uZ4gsC
>Security researcher Bob Diachenko uncovered the exposed database and says the
hackers left a ransom note, demanding almost $4,000 in Bitcoin.

Seems like a very inexpensive ransom for so much data.

~~~
adingus
Maybe the thieves have been frozen since 1967 and we will have to thaw out a
British sex symbol to find them.

------
msalvy
You would think the hackers would demand more than 4k in Bitcoin

~~~
rvz
I thought they would too after reading the headline, given it is supposed to
be a 'ransom'. Either the $4k is a 'typo', or these guys are being generous to
Choice Hotels.

If they are calling this a 'ransom' then they might as well get hired by
Choice Hotels instead. As this is the most lousy ransom I have ever seen.

------
mrmr1993
Not a comment on the article, but it seems like the GDPR compliance overlay
for securitymagazine.com isn't GDPR compliant.

To quote the GDPR at (4)(11):

> ‘consent’ of the data subject means any freely given, specific, informed and
> unambiguous indication of the data subject's wishes by which he or she, by a
> statement or by a clear affirmative action, signifies agreement to the
> processing of personal data relating to him or her;

and (7)(4):

> When assessing whether consent is freely given, utmost account shall be
> taken of whether, inter alia, the performance of a contract, including the
> provision of a service, is conditional on consent to the processing of
> personal data that is not necessary for the performance of that contract.

If there's an alternative link that sits better with EU law on this, I think
it might be better to switch to that instead.

