Chinese police investigate possible leak of 130 million hotel guests’ data

The Shanghai police is investigating what seems to be the loss of 130 million customers’ personal data from the Huazhu Hotels Group after the data appeared for sale on a dark web forum.

The Huazhu Hotels Group, which manages more than 3,800 hotels across 382 mainland cities, found a dark web forum post advertising the sale of its clients’ personal data and booking information.

The stolen data allegedly includes:

  • 123 million records (53 GB of data) containing online registration information, including mobile phone numbers, email addresses and passwords;
  • 130 million customers’ check-in information (22 GB of data), including identity card numbers, home addresses and birthdays; and
  • 240 million hotel records (66 GB of data), including customer names, room numbers and check-in and departure times.

Security experts believe that one of the Chinese hotel group’s databases was accidentally uploaded to GitHub.

In a statement to the BBC, the Huazhu Hotels Group said that it “called the police without any delay”.

The Shanghai police said: “Those who commit illegal acts including theft, trading and exchange of residents’ personal data will be heavily punished […] We are resolute in protecting people’s interest and ensuring information security.”

Shanghai-based IT angel investor Yin Ran warned South China Morning Post about the regularity of data breaches in China and said, “Strangers would approach us for trading of personal data owned by our portfolio firms.

“The potential risks are huge and such illegal behaviour must be eradicated to pave the way for further development of digitalised businesses.”

Subscribe to our newsletter for updates on the latest cyber attacks, data breaches and information security guidance >>


Keep up to date with developments and resources in the IT GRC market. Subscribe to our newsletter.