Taj Hotels face massive data breach, hackers demand $5,000 ransom
The personal details of about 1.5 million people may have been compromised in the data breach earlier this month, said reports
The Indian Hotels Company Ltd (IHCL) has admitted that its customer data base from its chain of hotels has been hacked, with a newspaper reporting on Friday (November 24) that the hackers have sought $5,000 for the data.
The Tata group hospitality company said it was investigating claims of a data breach of a "limited customer data set" which is of non-sensitive nature, The Economic Times reported.
Personal details of about 1.5 million people may have been compromised in the data breach earlier this month, said reports.
IHCL manages a portfolio of hotels, resorts, jungle safaris, palaces and spas besides in-flight catering services. The group is said to be south Asia’s largest hospitality-focussed company. Its brands include Taj, SelQtions, Vivanta and Ginger among others.
The Indian Computer Emergency Response Team (CERT-In), the official cybersecurity agency, is said to be aware of the breach, according to reports.
IHCL version
An IHCL spokesman said in a statement: "We have been made aware of someone claiming possession of a limited customer data set which is of non-sensitive nature.”
Asserting that the safety and security of customer data was of paramount importance to the company, the spokesperson said: "We are investigating this claim and have notified the relevant authorities."
"We continue to monitor our systems and there is no suggestion of any current or ongoing security issue or impact on business operations," the spokesperson added.
A threat actor, going by the name Dnacookies, has sought $5,000 against the full dataset, which includes addresses, membership IDs, mobile numbers and other personally identifiable information, The Times of India quoted unnamed sources aware of the matter as saying.
The customer data is said to be from 2014 to 2020. The threat actor has provided a sample containing 1,000 rows of unique entries.
Hackers’ demands
According to the report, the hackers have set three conditions for any deal that may accrue.
They want a negotiator to reach a consensus and the person should be an administrator on the forum, there will be no splitting of data, and no additional samples of data will be provided.
The Digital Personal Data Protection (DPDP) Act recommends a penalty of up to ₹250 crore on businesses per instance of data breach and a maximum penalty of ₹500 crore for all such breaches.
