Published on: January 18, 2025
A European hotel chain faced a severe data breach that leaked the personal data of millions of customers. The personal records of more than 25 million hotel customers were found.
While it’s impossible to tell exactly which hotel this was, the stolen info indiciates that it was stolen from the French hospitality firm, Honotel Group. Honotel is a massive branch with 135 hotels spread across eight countries and a total valuation of over €1.2 billion.
While the company doesn’t have a history of data breaches, its position in the hotel market makes it a valuable target for hackers. It’s suspected that hackers cracked into a Honotel database, specifically the guest and booking management systems due to the leaked data specifically mentioning “SITE HONOTEL.”
Researchers with Cybernews discovered an “unprotected Elasticsearch server and Kibana interface,” which are tools designed for gathering and analyzing large amounts of data at once.
The stolen data includes full names, phone numbers, email addresses, country codes, date of birth, language codes, Property IDs, and loyalty points. It also included detailed records of the customer’s stay, such as check-in time, number of days spent, etc. The breach could severely impact users.
No threat actors have claimed responsibility for the attack, but that doesn’t mean the breach doesn’t pose a serious risk for the hotel customers. Threat actors could use victims’ personally identifiable information (PII) for phishing schemes, targeted scams, or other sophisticated attacks.
While the attack hasn’t disrupted Honotel’s business, it may face a hefty fine. The GDPR can fine a company 2-4% of its total global annual revenue for failing to implement proper security practices. If further investigations prove that Honotel was attacked due to lax security measures, it faces significant fines.
At this time, there is no concrete proof that the data belonged to Honotel.