Cyber Incident Victim: Choice Hotels
Date:
Jun 2019
Location:
United States of America
Summary
A hospitality franchisor experienced a data leak when an unsecured vendor-hosted MongoDB database exposed 5.6 million records, including approximately 700,000 real guest entries containing names, email addresses, phone numbers, physical addresses, and consent statuses. The unprotected instance was accessed by attackers who left a ransom demand, though payment details and passwords were confirmed as test data. The breach lasted four days before being secured after researcher notification. The incident prompted termination of the vendor relationship and implementation of additional security controls to prevent future exposures, while affected individuals faced heightened phishing and spam risks due to exposed personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 30, 2019, an unsecured MongoDB database containing Choice Hotels guest records was indexed by the BinaryEdge search engine, initiating a four-day exposure window. Security researcher Bob Diachenko discovered the publicly accessible database on July 2, 2019, finding it already compromised by attackers who had inserted a ransom note demanding 0.4 Bitcoin (approximately $3,856 at the time). The 3.8 GB database, named "ch," contained 5.6 million records with internal admin contacts using @choicehotels.com domains, enabling attribution to the hospitality company. Diachenko immediately notified Choice Hotels via email, but the company inadvertently filtered the notification without review. The database was secured later that same day. Following no response, Diachenko sent a second notification on July 28, prompting Choice Hotels to initiate an investigation. The company confirmed the data resided on a third-party vendor's server being used to evaluate a proposed tool, emphasizing no Choice Hotels systems were breached. Approximately 700,000 records in the "privacy log" table contained real guest information including full names, email addresses, phone numbers, physical addresses, and consent statuses. The remaining records consisted of test data with fabricated payment card details, passwords, and reservation information.
Choice Hotels terminated its relationship with the vendor responsible for the exposed database and implemented additional controls to prevent recurrence. The company acknowledged the exposure duration was limited to four days but confirmed malicious actors accessed the data before its remediation. While financial data remained uncompromised, the incident created phishing risks for affected guests through targeted emails or SMS messages leveraging exposed personal details. Choice Hotels established a Responsible Disclosure Program and invited Diachenko to assist in identifying security gaps. The investigation remained ongoing as of August 13, 2019, with no evidence suggesting misuse of the data at the time of reporting. This marked Choice Hotels' second significant data incident following a 2012 breach where sensitive customer information was inadvertently disclosed on marketing materials.