China Arrests Suspect for Customer Data Leak at Accor Partner
22.9.2018 securityweek
Crime

Shanghai police have arrested a man in connection with a data leak at NASDAQ-listed Chinese hotelier Huazhu Group after the suspect failed to sell the information online.

The 30-year-old suspect had hacked and stolen user data from hotels under Huazhu Group and tried to sell it on overseas websites, the police said in a statement late Wednesday.

Huazhu, one of China's biggest hoteliers and the local partner of France-based AccorHotels, had alerted police to reports in August that the company's internal data was being sold online.

Huazhu Group said in a statement to the New York stock exchange on Monday that "the suspect also attempted to blackmail Huazhu by leveraging public pressure, without success".

The potentially-leaked data included guest membership information, personal IDs, check-in records, guest names, mobile numbers and emails.

Shanghai police said the case is under further investigation.

Huazhu operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.

Before Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market, it experienced another user data leak.

Xinhua reported check-in records from Huazhu and other hoteliers were stored by third parties and leaked in late 2013 due to management system loopholes.

Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.