Choice Hotels has advised its customers to watch out for fraud
after an extremely specific security lapse may have compromised their personal
data.
In a notice to customers, the hospitality franchise says the lapse
requires numerous specific factors to come together to present a threat. In
fact, the circumstances that could lead to a leak are so specific that it
probably only affects a handful of customers. However, as one of the world’s
biggest hotels chains, Choice serves many EU residents and is obliged under the
Union’s new data protection legislature – mainly the GDPR – to issue a formal
notice if it has even the slightest doubts about the safety of its customers’
data. Readers can find the relevant excerpt from the Choice Hotels advisory
below:
Choice
recently learned of a technical issue that only occurred in a specific circumstance.
The cause of the issue has been addressed. The issue involved information
entered by a visitor to Choice’s website being inadvertently accessible to
third parties, with whom Choice has a business relationship, when the visitor’s
web browser crashed while on the site. Choice uses technology to track
activities that occur on its website (e.g., cookies), and that technology sends
data to companies that provide services to Choice. For visitors to Choice’s
website who used the Safari web browser, if Safari crashed and restarted,
Safari would put information that had been typed by the visitor on the page
into the website address for that page. Tracking technology reads the website
address of pages on Choice’s website and sends the data to third parties. Except
in a Safari crash circumstance, the page address does not contain information
entered by visitors. We believe this occurred because of how the code for
Safari was written.
This
specific issue occurred approximately 88,000 times from June 2015 through
November 12, 2019. Choice identified the guest reservations involved that
occurred since April 2016 and has sent emails to those guests. We believe that
this scenario occurred very infrequently from June 2015 – March 2016 (likely
less than 25 times), but we do not have information available to identify the
specific guests so we are issuing a press release and posting this notice to
notify those guests.
Any readers who may have found themselves in these very
specific circumstances are entitled to know that IF their data somehow got into
the wrong hands, the data may include: the name of the person making the
reservation, email address, state, zip code, country code, and the number and
expiration date of the payment card used to make the reservation. Choice says
that, for any users making a reservation using a mixture of points and payment,
“the external verification value on the card” (i.e. CVV/CVC security code) may
have also been leaked.
The advisory was, in fact, published in late November but was only picked up by the media this week. It’s not impossible that some customers find themselves affected at some point. However, Choice claims it has contacted every relevant third party that might have received the data and demanded they delete it.
Considering this was not a targeted cyber-attack and the data
wasn’t actually leaked on the open internet, there should be no reason to
believe the data has made it into the wrong hands. Choice nonetheless advises
affected customers to keep a close eye on their bank statements and to avoid
falling into phishing traps, or any suspicious / unsolicited emails or SMS
messages.
Since identifying this highly-specific scenario, Choice has tweaked
its website’s code to override how Safari responds in the event of a crash. Starting
November 12 – when the flaw was patched – anyone making their first reservation
with Choice through a Safari web browser should no longer be affected.