Hackers have pilfered some 700,000 customer records from the giant Choice Hotels chain, including names, addresses, emails and possibly phone numbers, a report said.
The heist resulted from an exposed MongoDB instance the hackers discovered, according to a blog posted by Comparitech, a U.K.-based, consumer focused product and services reviewer, collaborating with security researcher Bob Diachenko. The MongoDB database was reportedly left unsecured with no password or other authentication needed for access. The hackers left a ransom note demanding .4 Bitcoin or roughly $4,000.
Apparently, by the time Diachenko discovered the vulnerability, the cyber extortionists had already been there with a ransom note attached. Diachenko figured that the ransom demand was left by an automated script targeting publicly accessible MongoDB databases. The script may have been intended to wipe the database after copying it but failed to carry out the commands, the blog said.
While the database housed nearly six million records in total, the majority of which contained test but not actual customer data, it’s the 700,000 stolen credentials that included some personally identifiable information (PII). Records with fields containing passwords, reservation details, and payment information only contained fake test data, the company said. However, Choice customers staying at one of its properties should be on the lookout for a rash of spam directed at their telephones and email, officials said.
Choice said the exposed data was hosted on a third-party vendor’s server, a relationship it has chosen to sever as fallout from the data breach. “We have discussed this matter with the vendor and will not be working with them in the future,” Choice officials told Comparitech. “We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”
The Maryland-based hotel franchisor owns brands such as Comfort Inn, MainStay Suites, Econo Lodge, and Cambria Hotels among its 7,000 properties in 41 countries.