The recent Choice Hotels data breach contains so many cybersecurity variables that it is difficult to process the entire breach. Three separate problems all came together to expose an estimated 5.6 million records, although the situation is not as dire as it might seem.

Problem #1 – An accidental data breach

The first issue in the Choice Hotels data breach was an exposed server. Accidental overexposure data breaches are becoming more common, and they are the result of a mishap on the part of the entity in charge of securing company information. These online storage options are basically remote servers housed somewhere else. A company logs into their account, stores all their sensitive information and pays a fee for this service. It is supposed to be more secure and allow businesses to access their data from anywhere. Too often, though, the server is left unprotected and without a password to secure it. That means literally anyone who stumbles upon it online can access all of the information.

Problem #2 – Someone found it

In many accidental overexposures, the company is alerted to the problem by an outside security researcher or helpful tech expert who discovered it. These events are still treated as serious matters since someone could have found and stolen the information quietly. In the case of the Choice Hotels data breach, someone did find it and stole the records, then left a note demanding Bitcoin payment as ransom in order to delete their copy and not tell anyone about the breach.

While this was not actually ransomware, software that infects your system until you pay the hacker’s fee, the tactic was the same. Pay up, or we sell your information and announce that you were breached.

Fortunately, Choice Hotels did not try to cover it up. They carried out a cybersecurity investigation and learned that the stolen information was far smaller than they had originally thought. It was around 700,000 records and may have only included names, email addresses and phone numbers, which is still serious, as scammers can use this information to target these customers with phishing attacks.

Problem #3 – It wasn’t Choice Hotels’ server

The third variable in the Choice Hotels data breach was an outside vendor who left their own server unprotected. While the information belonged to Choice Hotels and was, therefore, their responsibility, a third-party vendor was using the database to demonstrate a new tool that would help Choice Hotels with some aspect of service. Instead, the vendor left their server exposed and allowed the information to be accessed by a hacker.

This kind of third-party relationship has long been the weak link in cybersecurity. The now infamous Target data breach in 2013, for example, involved an HVAC company that serviced some Target stores. Hackers worked their way into the company’s computers due to lax security practices and used that connection to steal millions of payment card account credentials on Black Friday that year.

It is odd to see so many things go wrong in the same data breach, but it happens. The Choice Hotels data breach, while limited in size and potential damage, should serve as a wakeup call to businesses who are working diligently to protect their customers’ data. It is critical that businesses understand who can access information, what they can do with it, how vulnerable it might be and what harm can come about as a result.

If you are a victim of identity theft in need of assistance, you can receive free remediation services from ITRC. Call one of our expert advisors toll-free at 888.400.5530 or LiveChat with us. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Background Check Websites Offer Scammers Your Data 

10,000 Breaches Later: The Benchmark Breaches That Created Systemic Change 

Robocalls and What to do About Them