Huazhu Group runs overs 3,000 hotels over hundreds of cities, with brands such as Mercure and Ibis, as well as Hanting and Crystal Orange. According to mainstream news, 500 million pieces of information of the hotel group’s customers (personal data, booking records, financial information, etc) may be breached, and data of 130 million of guests’ information are found on the Dark Web available for 8 bitcoin (around US$56,000).
Tim Mackey, Technical Evangelist, Synopsys, says:
“This looks like an opportunistic “hack” in a vein quite similar to that of the Uber “hack” last fall. Development teams using public source code systems like GitHub and public continuous integration (CI) systems like Travis-CI need to recognize that any developer activity which causes a push to a public repository or a public branch can be viewed by others. To combat the potential for credentials, configuration information and data from leaking out, these teams need to have strong policies surrounding how debugging of CI occurs, where forks of code by core developers are located, and the conditions under which a push to a public branch for CI occurs. The increasing popularity of hosted development tools like GitHub, Jira and Travis-CI make them ideal sources of information for malicious actors. Consumers of hosted tools should ensure the security requirements their organization places on code being developed can be met by these tools and that they’re correctly configured to meet those requirements. Put another way, while it’s possible to “outsource” the management of developer tooling, it’s very likely the default configuration isn’t appropriate to your requirements and you should invest in ensuring your security requirements are met.”