According to comparitech, hackers stole 700k guest records from an unsecured MongoDB database used by Choice Hotels. According to Choice, the database was hosted on a vendor's server and was left vulnerable for four days. No Choice Hotels servers were compromised. Choice has since terminated its relationship with this vendor. Apparently, the database held 5.6 million records but most of it was test data, only 700k was associate with real customers of the hotel chain. The hackers demanded 0.4 bitcoin or approximately $3,800 for the data. According to comparitech the database was targeted by an automated script looking for publicly accessible databases. The script was likely supposed to wipe the database after copying it but failed to do so.
With the information that was made available to the hackers, customers of Choice Hotels will face more sophisticated phishing scams that could be sent in the form of emails, phone calls or text messages. The scams may be more convincing because of the information available to the bad actors. SPAM could also be a problem.
Security experts weigh in on the data breach:
Jonathan Deveaux, head of enterprise data protection at comforte AG:
“Data breaches against sensitive data on MongoDB instances strike again! Seems like a trend in 2019 where hackers are able to find publicly available MongoDBs with no authentication or security required to access. And they are succeeding. In this case, discovered by Bob Diachenko, a vendor working on a proposal for a project, was responsible for the MongoDB and the server instance hosting the database. Choice Hotels were responsible for supplying the data.
Choice Hotels did make a good decision electing to use fake data instead of real data for fields containing sensitive data such as passwords, reservation details, and payment info. This decision resulted in less sensitive data exposed, which limits the damage a hacker could do to the customers whose data was compromised. However, the decision to use real names, email addresses, and phone numbers in the MongoDB, does leave 700,000 customers subject to potentially targeted phishing emails or other scam attempts. Business and security leaders in companies need to consider the ‘Zero-trust’ model. Changing the approach from ‘some data,’ to ‘ALL DATA’ needs to be protected, will help reduce and possibly eliminate data exposures like this, especially where there are several security gaps which can be avoided.”
Elad Shapira, VP Research, Panorays:
“Choice Hotels are saying that their customer data was exposed through their supplier. This poses the necessary question: who carries the brunt of such breaches – the third party that was hacked or the company that relied on the third party? Past attacks have shown that while the third party suffers from associated breach costs, the company that uses the third party is greatly impacted as well. From brand damage to actual loss of revenue.
When it comes to private information, the company may even be at breach of privacy regulations and certainly suffer from customer loss of confidence. Take for instance the too well-known Target breach from a few years ago. The compromise of credentials at an HVAC vendor caused Target to admit the breach, replace their executive team and carry the associated breach costs. With the breach at Choice Hotels, it’s the hotel guests who made these reservations and they place the responsibility on the hotels. Companies need to be aware that outsourcing a business unit to a third party does not relieve them also from the security burden. They need to ensure that their partner has the right level of security before engaging with them, and if already engaged with them, to demand a minimum security standard.”
Dan Tuchler, CMO, SecurityFirst:
“We will always have a race between attackers and defenders of data security. Not to be overlooked are the security researchers, who play an incredibly important role in identifying weaknesses and exposed data, and helping companies secure that data. But in this case the response was too slow, and hackers got their hands on the data before it could be protected. Companies need to understand that a fast and strong response to this kind of threat is always needed.
"Once again a vendor has compromised the data of the company they were working for. In this case, due to the vendor’s poor security practices they will not be hired, so both the hiring company and the vendor have suffered from this breach. This breach also highlights the practice of using live data for testing, putting customer data at risk before the solution is tested and hardened. It’s a common practice and one that frequently leads to bad outcomes.”
Justin Fox, Director of DevOps Engineering for NuData Security, a Mastercard company:
“The Choice Hotels breach reminds merchants and other companies that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready.
"At the same time, the stolen data will be tied to other pilfered data to build full personas used for identity theft or fraudulent account creation. This sort of data exposure is why so many organizations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics. In doing so, they’re shifting from 'let's make our company a bunker for all users' to 'let's build the bunker for risky users only.' They do so by using technology that doesn't rely on data that could have been exposed in a breach, thus preventing post-breach damage.
"As a preventive measure, before the breach happens, an organization must focus on storing data points securely - by making use of cryptographically secured formats like a SHA256 or SHA512 hash of the information. If an organization successfully hashes the data point with a salt and encrypts the resulting data, the stolen data becomes significantly less valuable to the attacker.”