Cyber Incident Victim: Huazhu Group Ltd

On August 28, 2018, an online post containing approximately 500 million pieces of customer data from Huazhu Group Ltd. surfaced, triggering a major data breach incident involving one of China's largest hotel operators. The exposed information included customer registration details, personal identification data, and hotel booking records spanning multiple brands under the Huazhu umbrella. Shanghai police confirmed the same day that they had initiated an investigation following an official report filed by the hotel group. Changning District police authorities publicly announced their involvement on the evening of August 28, vowing to combat illegal information transactions stemming from the breach while urging businesses to enhance data protection measures. Huazhu responded by immediately launching internal inspections and contracting an external technology firm to trace the origin of the leaked data being offered through online channels.

The breach impacted extensive customer records across Huazhu's diverse portfolio of hotel brands, which included international partnerships such as Accor's Mercure and Ibis properties in China, along with domestic brands like Hanting and Crystal Orange. As a NASDAQ-listed corporation operating more than 3,000 hotels across 370 Chinese cities, the incident exposed vulnerabilities in the data management systems of a major hospitality player with significant market presence. The compromised dataset's unprecedented scale—representing hundreds of millions of customer interactions—highlighted risks associated with centralized storage of sensitive guest information. Law enforcement focused on investigating potential criminal transactions involving the stolen data while emphasizing corporate accountability for cybersecurity safeguards. Huazhu's dual response strategy combined operational self-assessment with third-party technical verification to address both immediate forensic requirements and systemic security gaps.