• Shanghai police arrested the hacker for selling 140 GB data that included the personal information of millions of Huazhu hotel guests.
  • The hacker also attempted to blackmail Huazhu to pay a ransom for the recovery of its data.

Shanghai police on Wednesday, September 19, confirmed the arrest of the hacker responsible for selling data hacked and stolen from the Chinese hotel chain - the Huazhu Hotel Group - on the dark web. The Huazhu Hotel Group had also announced the arrest in an investor message earlier on Monday.

According to a report by ZDNet, Shanghai police did not release the hackers’ identity. However, according to local reports, the hacker is a 30-year-old man named Liu.

Although it is still unclear as to how the breach has occurred, local reports suggest that the breach could have occurred in early-August, when Huazhu’s engineers unknowingly uploaded database programming details to GitHub.

The breach, which was first reported in late August, involved Huazhu customers' data popping up for sale on the dark web for just 8 Bitcoins - approximately equivalent to $56,000. The stolen data is reportedly over 140GB in size and appeared as an advertisement on the dark web.

Further insight into the incident also revealed that the data sold was not only the personally identifiable information (PII) of Chinese customers but also those from Western and East Asian countries. A total of 53 GB of data, including names, mobile phone numbers, email addresses, ID numbers, and residential addresses were also put up for sale by the hacker.

Dark web sale was unsuccessful

Huazhu confirmed that the data advertised on the dark web belonged to its customers, after verifying it with the help of an external security firm. The Chinese hotel chain also said that the hacker blackmailed the hotel into paying a ransom for the recovery of its data, by taking advantage of the public pressure surrounding the exposure of the data leak. However, Huazhu claims that the attacker was unsuccessful in selling the data.

Shanghai police warned that anyone caught illegally trading or exchanging personal data would be “heavily punished.”

“Given the seeming profitability of stolen data, this advertisement naturally drew the interest of potential buyers," Trend Micro researchers, who discovered the breach, wrote in a blog. "There is one particular buyer interested in female-only data. Another threat actor is selling a vulnerability in a hotel management system.”

Hotels have lately become a favored target of among cybercriminals. Most hotel guests generally use a payment card and are required to provide some ID while checking in. This information is generally logged and stored by hotels. This, in turn, makes organizations in the hospitality industry highly valuable targets for cybercriminals. Given how easily such data can be sold on the dark web to make a quick profit, such breaches will likely continue to affect organizations in the future.

Cyware Publisher