August 28, Chinese hotel management company Huazhu Hotel Group, also known as China Lodging Group was reported to be involved in a large data breach incident. Approximately 130 million hotel guests’ personal data and booking information from 13 Huazhu operated hotels was leaked in.

A hacker is selling those leaked data for 8 bitcoin or 520 Monero (equivalent to roughly RMB 350,000; or US$5600) on a Chinese dark web forum.

According to a description titled “Huazhu-owned Hotels Booking Data”, the stolen data is 141.5GB in size and contains 240 million records including customers’ full name, ID card number, phone number, email address, bank account number, home address, and other booking details such as check-in time, departure time, room number.

Approximately 130 million customers of Huazhu operated hotels including Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, Haiyou are affected by the breach.

Huazhu Hotels Group currently operates over 3,000 hotels in China and has been ranked the 12^th largest hotel group in the world. This data breach has a bad effect in all Huazhu operated hotels.

Threat Hunter, a Shenzhen based cybersecurity firm has provided the data verification results:

Based on their data testing results, the youngest guest was born in 1995, and the latest departure time is August 13.

The results of data cross-validation also exclude the possibility of old data, as thus, instead of mixed with old data, most of the leaked data is up to date.

In conclusion, Threat Hunter believes that the authenticity of the leaked data is very high. The firm also indicated that this data breach may be the largest and most serious personal information leak incident in China in five years.

Huazhu Hotels Group has released an official statement on Weibo today, saying that they are carrying out a series of internal investigation and the public security bureau is investigating this case.

The firm also emphasized that both selling or buying the leaked information are illegal in China and calls on the offenders participating in this data leak case to stop spreading their hotel guests’ information.