BlackCat has made available data from the MotelOne hotel chain, which included sensitive personal information. Guests should take action.
After a five-day deadline elapsed, over 5 TB of data and several million files from the MotelOne Hack emerged on the Darknet. BlackCat cybercriminals appear to have waited in vain for a ransom and have now acted.
It was reported last week that MotelOne had fallen prey to an extortion ring. The revelation is unsurprising given that the cyber gang, also known as ALPHV, is not known for making idle threats. They have previously posted large databases, including highly sensitive patient data, to their Darknet presence. The same is true in this case: the BlackCat website contains a number of files from the hotel chain, including marketing materials such as menus and guest lists, as well as an old Keepass password database. Online samples indicate that some of the data is more than five years old, although some files date back to late summer this year.
MotelOne is attempting to mitigate the harm.
MotelOne spokesman informed heise online that after learning about the cyber attempt, they “immediately ensured that no further personal data could be obtained by the hacker group.” The appropriate authorities have been notified, and a criminal complaint has been lodged.
If their credit cards are still valid, all affected credit cardholders have been notified. The hotel will contact other impacted individuals personally if necessary, according to the spokeswoman. They have also worked with external security specialists to avoid future unwanted entry.
Individuals who are affected can exercise their legal rights.
This may not provide comfort to affected visitors or data privacy advocates. EuGD, the litigation financier, has already set up an information page for people affected and has promised to look into potential compensation claims. “Based on the leaked data, travel profiles for nearly 5 years can be created, business relationships can be analyzed, as well as private hotel stays,” EuGD CEO Thomas Bindl warned. The disclosure may cause substantial disruptions in the lives of individuals who are affected.”
Aside from the prospect of non-material compensation, impacted individuals have substantial information rights under the GDPR. Anyone who has stayed at the motel company in the last five years can get information by emailing MotelOne. The hotel company has issued a contact address and a brief statement in the press area of their website for this reason:
“According to initial analyses, address data from costumers was accessed – including 150 credit card details. The affected card holders have already been informed personally.”
The appropriate supervisory authority is threatening MotelOne with more difficulty. Aside from the matter of whether the storage techniques and duration meet the GDPR’s stringent standards, significant fines could be applied. Other hotel chains had been fined nine-figure sums in the last couple of years for breaking data protection government.