Choice Hotels has contacted customers following a data
breach said to involve 700,000 customer records.
In a statement, the company said the breach was due to a
third-party vendor who "copied the impacted data from our environment
without authorization" and moved it to its server.
Choice went on to say that, in the process, the third party's
server was accessible from the internet for a few days.
Choice said that while much of the data was fake, some guest
information such as names, addresses, phone numbers and email addresses was
included in the data.
The company said that the vendor deleted the database from
its server and that it has "ended its relationship" with the vendor.
Choice asks customers to be aware of phishing emails or
other texts and mailings going forward.
It also asks customers and its hotels to contact the data
company's data protection officer with any questions.
This is the latest in a string of recent security breaches
in the travel industry involving high-profile brands including British Airways
and Marriott. Both companies recently received record-breaking fines from the U.K.'s
Information Commissioner's Office.
Security experts say the industry has become more of a
target, especially for nation state adversaries, because of the amount of
information travel companies hold about their customers.
Patrick Martin, head of threat intelligence at risk-protection
service Skurio, said brands should be aware that "going public with this
kind of information can inadvertently encourage threat actors to probe
organizations with similar databases for vulnerabilities."
"Looking into an open container as a security
researcher or opportunist is one thing, but if you start reading contents,
including ransom notes, then it could be argued in court that you have crossed
a line, which places focus back to whoever uncovered this information,"