Website leaking Chinese hotel guest details closed down

Hackers used security loophole to gain access to thousands of confidential records

PUBLISHED : Monday, 21 October, 2013, 1:33pm
UPDATED : Monday, 21 October, 2013, 3:05pm

Three Chinese characters and a search bar are the only features to be found on the website However as internet users throughout China discovered last week, the nondescript website contained detailed records of individual guest bookings at hotels across the nation, including their names, addresses and phone numbers.

The site, which was blocked sometime between Sunday night and Monday morning, added fuel to a debate about online privacy as China reviews its two-decade-old consumer rights legislation. It is unclear who runs the website. Its domain is registered to a delivery company in Xinghua, Jiangsu province. A woman reached at the company, who declined to be identified, denied any knowledge of the website.

Two weeks ago, the online security watchdog WooYun reported that hackers had taken advantage of a security loophole in the database of CNWisdom, a Zhejiang-based company which calls itself the country’s largest provider of wireless internet for hotels, to gain access to thousands of records.

The company issued a statement denying involvement in the security leak, saying that information from hotels not serviced by the company had also been leaked.

Soon, a seller on Taobao, China’s largest e-shopping website, offered eight gigabytes of hotel guest data for sale for 2,000 yuan. The Taobao shop has since been closed.

A leak of CNWisdom’s data could be substantial. The company serviced 450,000 hotel rooms in 2011, the last time it updated its figures, in more than 4,500 hotels. Hotel guests have to register their personal data, including address, phone number, ID card, date of birth and workplace, to gain access to CNWisdom’s Wi-fi services.

Zhao Zhanling, a legal adviser for the state-run China Internet Association and Beijing-based IT-legal expert, said hotel guests could hold hotels liable for compensation already under the current law, but hotels can bring a legal case against the service provider, who allowed the leak. 

“Those of you who aren’t married, don’t access this site!” one internet user wrote after visiting the website. “Those who are, try to avoid checking.”