Hacker News new | past | comments | ask | show | jobs | submit login
Choice Hotels Suffers Data Breach, Exposing 700k Customer Records (securitymagazine.com)
56 points by neogodless 62 days ago | hide | past | web | favorite | 11 comments

The article by the OP is slightly vague about the details of the breach. This one goes into more detail: https://www.comparitech.com/blog/vpn-privacy/choice-hotels-d...

But after reading the details, the whole situation looked nothing more than a straight-forward search on SHODAN.io for exposed DBs. A 'ransom' of $4,000 for 700k users is cheap to Choice Hotels compared to the others I've seen demanding $1M+ for the same number of users.

> The MongoDB database was made publicly available with no password or other authentication required to access it.

> The database was left exposed for four days.


Thanks - this is a much better article!

Anyone know if there is going to be a class action lawsuit started? I am a victim of this breach as I stayed at choice hotels in the past. My personal information was most likely leaked in this compromise. It is unacceptable that retailers collect our driver's license and personal information when staying at their property and then have the never to store it in their database after the reservation has been completed, especially when the room was inspected by house keeping and noted to have no issues. The personal information should be deleted!

700,000 records from a chain with 7,000 hotels, per the article. How do you know you're a victim of this breach? Assuming each hotel on average probably has occupancy of at least 100 rooms, it could account for just a single day of reservations across their organization.

In short, it seems too early to assume if you've ever stayed at a hotel you are a victim.

They sent me an email around 7:15 PM EST today. Lucky for me, that this is still active and monitored. But I don't think I used that (particular) email recently, and I can imagine for some, they won't get the same notification.

>Security researcher Bob Diachenko uncovered the exposed database and says the hackers left a ransom note, demanding almost $4,000 in Bitcoin.

Seems like a very inexpensive ransom for so much data.

Maybe the thieves have been frozen since 1967 and we will have to thaw out a British sex symbol to find them.

You would think the hackers would demand more than 4k in Bitcoin

I thought they would too after reading the headline, given it is supposed to be a 'ransom'. Either the $4k is a 'typo', or these guys are being generous to Choice Hotels.

If they are calling this a 'ransom' then they might as well get hired by Choice Hotels instead. As this is the most lousy ransom I have ever seen.

Maybe 4K bitcoin, or ~$40,000,000?

Not a comment on the article, but it seems like the GDPR compliance overlay for securitymagazine.com isn't GDPR compliant.

To quote the GDPR at (4)(11):

> ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

and (7)(4):

> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

If there's an alternative link that sits better with EU law on this, I think it might be better to switch to that instead.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact