But after reading the details, the whole situation looked nothing more than a straight-forward search on SHODAN.io for exposed DBs. A 'ransom' of $4,000 for 700k users is cheap to Choice Hotels compared to the others I've seen demanding $1M+ for the same number of users.
> The MongoDB database was made publicly available with no password or other authentication required to access it.
> The database was left exposed for four days.
In short, it seems too early to assume if you've ever stayed at a hotel you are a victim.
Seems like a very inexpensive ransom for so much data.
If they are calling this a 'ransom' then they might as well get hired by Choice Hotels instead. As this is the most lousy ransom I have ever seen.
To quote the GDPR at (4)(11):
> ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her;
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the
performance of a contract, including the provision of a service, is conditional on consent to the processing of personal
data that is not necessary for the performance of that contract.
If there's an alternative link that sits better with EU law on this, I think it might be better to switch to that instead.