Some 700,000 customer records belonging to Choice Hotels International Inc. have been stolen and those behind the data theft are demanding a ransom payment of 0.4 bitcoin ($4,142) to delete their copy.

In a twist of a traditional failure to secure an online database story, those behind the data theft, revealed today, did not hack the data but simply downloaded it after finding it exposed to all and sundry on a misconfigured MongoDB database.

The theft was discovered by security researcher Bob Diachenko, who not only found the exposed MongoDB database but also that the data had been stolen. The discovery that the data had been stolen came in a novel way: Those behind the data theft left the ransom note in the exposed database.

The data stolen included full names, addresses, email addresses and telephone numbers, but credit card details and Social Security number were not exposed.

The database included 5.6 million records in total, but Choice Hotels, which had no idea that the data had been compromised until informed by Diachenko, told Comparitech that only 700,000 actual customer records had been stolen. The company also claimed that the data stolen was hosted on a vendor’s server and that no Choice Hotels servers were accessed, suggesting this is another case of a third-party service provider compromising the data of its clients.

Choice Hotel brands include Comfort Inn, Comfort Suites, Quality, Sleep Inn, Clarion, Cambria Hotels, MainStay Suites, Suburban, Econo Lodge and Rodeway Inn.

“Consumer privacy or the lack thereof is a huge societal concern and is manifesting itself through many forms, including regulation like the California Consumer Privacy Act and General Data Protection Regulation,” Chris DeRamus, co-founder and chief technology officer of cloud and container cybersecurity company DivvyCloud Corp., told SiliconANGLE. “The data stolen from Choice Hotels stands as another stark reminder that consumers are right to fear for their privacy until companies recognize their responsibility and invest in people, processes and tools that can ensure they identify and remediate risk before it can be exploited.”

In addition, DeRamus added, “the data stolen from Choice Hotels in this incident could be used by cybercriminals to launch sophisticated phishing attacks aimed at the guests’ whose information was compromised, potentially prompting them to unknowingly provide even more sensitive information to the hackers.”

Stephan Chenette, co-founder and CTO of enterprise security startup AttackIQ Inc., noted that cybercriminals are continuously looking for gaps in security defenses and overlooked basic security misconfigurations, such as a database unprotected by a password, to turn a quick profit.

“Companies must take a more proactive approach to cybersecurity,” Chenette said. “Continuously testing the efficacy of security controls is critical to ensuring any vulnerabilities are quickly identified and remediated, and to ensure that tools are actually functioning as expected.”

Photo: Travelarz/Wikimedia Commons