Reports have surfaced in Chinese-language media outlets of a website purporting to contain personal information from thousands of guests that have checked into major Chinese hotel chains over the past several years.
According to The Beijing News (via Techweb, the website was first noticed on Friday when a user on Sina Weibo announced the existence of a website titled “Cha Kai Fang.” The post quickly spread on the social network.
Reporters state that the website full of stolen IDs is frighteningly simple: one simply enters a person’s name, and a list of potential matches will appear, each stating the person’s full name, phone number, cellphone number, ID number, place of employment, and other relevant information (though not all fields are complete in many entries). When one reporter from the Beijing times searched her name, she saw 472 results.
Chinese journalists suspect that the information originates from Huidayi, a Zhejiang-based firm that provides wi-fi services to various hotels chains in China. Just one week ago, WooYun.org, an organization that works with private companies to investigate security-related issues, published a report stating that a major hole existed in the company’s security infrastructure.
However, a representative from Huidayi’s marketing department stated that the company had known about the hole for some time and had already fixed it. Moreover, he added that the data sets were different, thereby absolving his company from any possible involvement. When asked who could possibly be behind the stolen ID website, he replied cryptically, “We all know which government department is responsible for the leak, but we’re not able to say which one.”
Personal info for sale on Taobao
Meanwhile, earlier today, the same reporter for The Beijing News discovered a listing on Taobao, China’s top e-commerce site, claiming to offer all the rogue website’s data for download. The seller is charging RMB 2,000 (about $330), and according to the reporter, that merchant has been selling various membership cards and novelty phone numbers on the e-commerce site since last May. We’ve found the e-store here. The reporter managed to get in touch with the seller to test out the service, but when asked who operated the website, the seller promptly went offline.
At the time of writing, Tech in Asia has been unable to pinpoint the address of this website (both Baidu and Google provide no direct links, and we’ve yet to find any after spending some time scouring message boards). We’ve reached out to representative at Alibaba, which runs Taobao, for comment on the matter and will update this piece if we get a response.
The Taobao page was up and running this morning, but has been taken down since. We did manage to grab a screenshot, however, which we’ve pasted below.
Update: TiA received the following comment from an Alibaba spokesperson:
The stores that were discovered to be selling personal information have been shut down; our platforms do not tolerate the illegal behaviour of profiting from selling personal information and we will cooperate closely with the authorities on such issues. We welcome all users to report such cases.
(Thumbnail image: 30691679@N07/Flickr)