Massive Data Breach Threatens Guests of Huazhu Hotels

In what could be one of the biggest data-breach cases in China, nearly 500 million pieces of personal data and booking information were reportedly leaked from leading Chinese hotel chain operator Huazhu Group Ltd.

A post emerged online Tuesday selling information related to customers, bringing concerns over the data breach to light. Huazhu is one of the biggest economy hotel operators and franchisors in China.

Huazhu told Caixin that the investigation is still underway and asked for help from internet platforms to prevent the circulation of the information. Nasdaq-listed Huazhu’s stock tumbled over 3.5% Tuesday morning.

Internet security company Zpower Inc. said in a statement that it detected the data breach, which could involve personal identification information on 130 million customers of 13 Huazhu hotels.

Zpower said it verified the data, found that some of the data was sold on the online black market and reported the case to Huazhu and police. Zpower said the breach also involved 123 million pieces of Huazhu’s online user registration information and 240 million pieces of hotel booking records.

Shanghai-based Huazhu said it is working with the public security authority. Huazhu said it also hired data security professionals to launch an internal investigation. The Changning district branch of the Shanghai Public Security Bureau confirmed Huazhu’s report.

Hotels affected include top Huazhu brands such as Hanting Hotel, Orange Hotel and Elan Hotel, as well as franchise hotels of international brands Ibis and Ibis Styles.

The case is the latest to put online privacy protection under the spotlight. Chinese authorities have launched a crackdown on crimes involving internet privacy violations. As of July 2017, regulators tracked down at least 1,800 data-breach cases and arrested nearly 5,000 suspects, according to official figures.

Last week, Caixin reported that a group of Chinese companies were found stealing up to 3 billion pieces of user data from 96 tech companies — including e-commerce giant Alibaba Group Holding Ltd.

According to a police statement, a group of companies led by Shenzhen-listed Ruizhi Huasheng Technology Corp. hijacked data from the country’s major state-owned mobile carriers and sold it for profit. The stolen data included user registration information on the popular messaging app WeChat and e-commerce platform Taobao.

With a primary focus on economy and midprice hotels, Huazhu had 3,903 hotels with 393,417 rooms in operation as of June 30, according to the company. Huazhu reported 2.5 billion yuan ($367 million) of revenue in the second quarter this year, up 25.9% from a year earlier.

Contact reporter Han Wei (weihan@caixin.com)