Choice Hotels International, Inc., has taken steps to address and notify guests of an issue involving inadvertent disclosure of certain guest information to third parties with whom Choice has business relationships. While most guests involved have been contacted already, the company is issuing this press release to alert the small number it could not identify. The issue occurred very infrequently from June 2015 – March 2016 (likely less than 25 times), but information to identify specific guests involved during this timeframe is unavailable. Overall, this issue occurred approximately 88,000 times from June 2015 through November 12, 2019, and Choice has already notified individuals involved from April 2016 forward by sending them an email.
Choice Hotels notes that it understands the importance of data security, and protecting guest information is a priority. The company recently learned of a technical issue that only occurred when a visitor to its website was using a Safari browser, typed information in a field on the page, and the browser crashed and restarted. Under these circumstances, Safari put information that had been typed by the visitor on the page into the website address in order to repopulate the page when the browser restarted. Choice uses technology to track activities that occur on its website (e.g., cookies), and that technology sends data read from the website address of relevant pages to companies that provide services to it. Except in a Safari crash circumstance, the page address sent to these companies did not contain information entered by visitors.
As soon as Choice identified what caused this issue, the company made changes to its website to override how Safari responds after a crash. Choice is also contacting the third-party companies it works with to ask them to delete any data they may inadvertently have.
What Information Was Involved?
If a visitor was using Safari and was on the reservation page when the browser crashed, the information typed in fields on that page that could have been put in the website address when the browser restarted may include the name of the person making the reservation, email address, state, zip code, country code, and the number and expiration date of the payment card used to make the reservation. If the reservation was being made using a mixture of points and payment, the external verification value on the card may have also been in the website address.
The company has also set up a web page that details the incident, as well as instructions on how to direct questions to its Data Protection Officer.