Taj Hotels Data Breach: personal info of 1.5 million customers allegedly leaked

The Tata-owned Taj Hotels group may have experienced a data breach, potentially exposing the personal information of around 1.5 million of their customers, as reported by ET.

The Tata-owned Taj Hotels group may have experienced a data breach, potentially exposing the personal information of around 1.5 million of their customers, as reported by ET. The breach occurred earlier this month, and a threat actor, identified as “Dnacookies,” is reportedly demanding $5,000 for the complete dataset. The leaked data includes addresses, membership IDs, mobile numbers, and other personally identifiable information (PII).

A spokesperson for Indian Hotels Company Ltd (IHCL), the company managing the Taj Group, said to ET, “We have been made aware of someone claiming possession of a limited customer data set which is of non-sensitive nature. Safety and security of our customers’ data is of paramount importance to us.”

Advertisement

The threat actor, “Dnacookies,” posted on BreachForums, stating that the customer data spans from 2014 to 2020 and has not been disclosed to anyone so far. Dnacookies set three conditions for any potential deal: the involvement of a middle person with admin designation, no splitting of data (all or nothing), and no additional samples provided.

ET was initially made aware of this by a security researcher who wished to be anonymous. On November 5, ET examined the breach post on the cybercrime marketplace BreachForums, where the threat actor had posted a sample of 1,000 rows of distinct entries.

IHCL’s spokesperson mentioned ongoing investigations into the claim and notified relevant authorities. The company asserts that there is no indication of a current security issue impacting business operations.

The cybersecurity watchdog, the Indian Computer Emergency Response Team (CERT-In), is also aware of the intrusion, the source told ET. As of the time of publication, CERT-In has not replied to ET’s inquiry, though.

CEO of the cybersecurity company Safe Security Saket Modi stated that he could not see any sensitive government-issued IDs, such as Aadhaar, among the disclosed data. He noted that the ‘membershipId’ numbers are likely hotel loyalty numbers, and the data may be from an old hack being recycled.

According to the FAIR Institute’s Materiality Assessment Model (FAIR-MAM), categories important for a hospitality company breach include PCI (payment card information), PFI (personal financial information), PHI (protected health information), or sensitive PII. Modi outlined potential cost categories for Taj, including incident response, customer support, and class-action settlement and regulatory fines.