Hackers claim to have stolen 700,000 customer records from Choice Hotels thanks to an exposed MongoDB instance, it has emerged.
The US-based chain, which runs franchised outlets in over 40 countries worldwide, is now being held to ransom after the hackers left a note demanding 0.4 Bitcoin (around $3800) in payment for the data, which they claimed to have copied.
Security researcher Bob Diachenko worked with security firm Comparitech to discover the database, which was left completely exposed online. However, hackers had already got there. It was only left online for four days without password protection before attackers found the account.
Although the database held 5.6 million records in total, Choice Hotels told Comparitech that most of these related to test data. Of the 700,000 genuine records stolen, names, email addresses and phone numbers of customers are among the details taken.
The server itself is said to have been owned and managed by a third party who was working with the hotel chain on a new “tool.”
“We have discussed this matter with the vendor and will not be working with them in the future,” Choice Hotels told Comparitech in an email.
“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr Diachenko’s assistance in helping us identify any gaps.”
Diachenko believed the ransom note was left by an automated script set up specifically to target exposed MongoDB databases, although it didn’t succeed in wiping the data.
This is only the latest of many similar incidents involving unsecured MongoDB instances.
This year alone, hundreds of millions of individuals have had their personal data exposed, including 200 million Chinese CVs, 12.5 million Indian mothers, and 808 million records from an email validation firm.
Unsurprisingly, hackers are getting wise to these misconfigurations: earlier this month it was revealed that attackers stole 2.1 million records from a Mexican bookstore, demanding a ransom.
KnowBe4 security awareness advocate, Javvad Malik, argued that the Choice Hotels incident is yet another example of user error.
“While Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customer data which was breached,” he added. “It has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”