Photo/VCG

Aug. 29 (NBD) -- Chinese police is investigating a possible leak of customer information from Chinese hotel chain operator Huazhu Group Ltd. (Nasdaq: HTHT). 

A post emerged Tuesday showing a hacker was selling nearly 500 million pieces of personal data and booking information from the Chinese hotel group on the dark web for a total of 8 Bitcoins or 520 Moneros (around 55,823 U.S. dollars).

Huazhu, which ranked 9th among the world's largest hotel groups by Hotels magazine in 2017, operates a wide range of hotel brands, including Grand Mercure, VUE, Joya, Novotel, Mercure, Ji, Crystal Orange, Ibis Styles, HanTing, and Hi, covering all market segments and meeting diverse needs of customers. The group now runs more than 3,700 hotels in over 370 Chinese cities.

On the afternoon of the day, Huazhu issued a statement concerning the possible leak, saying the company pays great attention to the matter and an internal investigation has been launched to guarantee the safety of private data of hotel guests. The hotel chain has reported the incident to the police and has hired professional tech companies to verify whether the data sold online is from the group. 

Shares of Huazhu dived 4.36 percent to 33.98 U.S. dollars per share Tuesday (U.S. time). 

One safety expert who wished to remain anonymous told NBD the data sold online was more likely to be exported from the database. 

When asked about the possibility of whether other large hotel chains may also suffer data breaches, the expert said it is totally possible, especially for those who outsource the data information system. The data was leaked probably because hotel employees uploaded their company code that contain confidential information onto GitHub, the world's leading software development platform. 

For the public, there is nothing to do after the data breach, but according to the Cybersecurity Law of China, companies involved would be held liable for massive data breaches, the expert noted.  

However, Fang Chaoqiang, lawyer with Beijing Yingke Law Firm Hangzhou Office, said to NBD the matter should be analyzed in two ways. If the data was leaked by former employee or due to the collaboration from within with forces from outside, it is a problem of internal management and the hotel should take the blame. In another case, if hackers were involved but no necessary protection was in place, the hotel should also bear responsibility, or it will be viewed as a victim too, Fang explained.

Fang believes large hotel chains like Huazhu must have the highest level of safety protection.  

Email: lansuying@nbd.com.cn