In a concerning development, Tata-owned Taj Hotels group has fallen victim to a data breach, exposing the personal information of more than 1.5 million customers. The breach, orchestrated by a threat actor known as “Dnacookies,” involves a ransom demand of $5,000 (approximately Rs 4,16,000) for the complete dataset.
The compromised data reportedly includes addresses, membership IDs, mobile numbers, and other personally identifiable information, raising serious concerns about privacy.
A spokesperson for the Indian Hotels Company Ltd. (IHCL), the entity managing the Taj Group, acknowledged the situation, stating, “We have been made aware of someone claiming possession of a limited data customer data set, which is non-sensitive in nature.” Despite the claim of non-sensitivity, the breach poses a significant risk to the affected customers.
The bad actor asserted that the dataset spans from 2014 to 2020 and has not been disclosed previously. Hacker forums, as reported by Economic Times on November 5, have reviewed the breach post, which includes a sample featuring one thousand rows of unique entries.
IHCL has taken prompt action, stating, “We are investigating this claim and have notified the relevant authorities,” and emphasizing their commitment to monitoring systems closely. The breach has also caught the attention of the Indian Computer Emergency Response Team (CERT-In), which is actively investigating the matter to mitigate potential risks and assess the extent of the breach.
Dnacookies, the threat actor behind the breach, has outlined three specific demands, adding complexity to the situation. These demands include the requirement for a negotiable deal to involve a middleman, a strict stance against splitting the data (it must be all or nothing), and a refusal to provide additional samples of the compromised data.
The ongoing investigation will play a crucial role in understanding the full impact of this security incident and implementing necessary measures to secure affected individuals’ information.