Hilton, Hyatt, Marriott: 437,000 data records from management platform at HIBP

Last July, the hotel management platform Otelier had an uninvited online visitor who took advantage of the data stored there. A total of around 437,000 data records from customers of hotel chains such as Hilton, Hyatt and Marriott ended up in the wrong hands. The Have-I-Been-Pwned Project (HIBP) has now integrated the data into its own data pool in a searchable form.

According to a statement by operator Troy Hunt on the Have-I-Been-Pwned website, the breach at Otelier took place on July 1, 2024. This is a management platform that offers its services to hotel chains, including well-known names such as Hilton, Hyatt and Marriott. The data set made available to HIBP comprises 436,855 data records, including customer email addresses. However, according to Hunt, a further 868,000 email addresses generated by booking.com and Expedia were not used.

Sensitive data in the data set

In addition to email addresses, the leaked data also includes names, addresses, telephone numbers, purchases, travel plans and, in some cases, abbreviated credit card details. This allows criminals to launch more targeted phishing attacks on potential victims.

On the main page of Have I Been Pwned, interested parties can enter their email address and see whether it has been included in data leaks and thefts in the past. For services in which the e-mail address appears, those affected should at least change their passwords and check whether unwanted modifications have been made. If available, they should also take the opportunity to activate multi-factor authentication or switch to passkeys if necessary.

On Friday last week, the HIBP project announced that around 250,000 data records from MSI customers had been added to the database. These were copied at MSI last year and relate in particular to customers who have made guarantee and warranty claims (RMA).

(dmk)