Tokyo, Japan-based Almex which operates the Japanese Happy Hotels announced it has been hacked and that customer data including email address, birth date, gender, phone number, log in, address, and credit card information could all have been compromised because of this calculated phishing attack.
Happy Hotels is what is billed in Japan as the “Love hotel” because it allows its guests to privately book a room for a few hours or a night without interacting with any hotel employee. In its statement, the company advised customers to change their email address if they have reused it across other services. This is sensible advice to protect other services, but very much a case of locking the gate once the horse has well and truly bolted.
The breach evokes memories of the 2015 Ashley Madison breach. Ashley Madison was a website, much like ‘love hotels’ because it was dedicated to facilitating married people to cheat. The breach not only ruined many marriages, but gave unscrupulous individuals the opportunity to blackmail members. In one public case, an individual approached a user, demanding $1000 in bitcoin, or he would expose him to his wife.
Therefore, it’s not too much of a stretch to imagine the same could happen to Japanese users of Happy Hotels. From a user perspective, there is nothing they could have done to minimise any impact of the breach other than not using the service. However, there are several questions which arise about Almex and how it secures the data.
For a private or implied anonymous service, the hotel did appear to obtain and retain a lot of personally identifiable information of its guests. It also appears as if no measures were taken to encrypt sensitive data, or to store passwords using an approved hashing function which prevents the password from being visible even to the administrators.
Security of data is one of the, if not the most critical assets for many businesses. This breach could severely impact guests of the hotel and affect future bookings if trust is eroded.
Companies need to understand that gathering and storing large quantities of data has ceased becoming a competitive advantage, rather, it’s more like storing masses of radioactive material. You need to secure it properly, and any leak could have a devastating impact.
But security isn’t something that can be brought in a box, it’s a process, sometimes a long process, and needs embedding throughout all of an organisation and reflecting across its technology, processes, and most importantly, its people. New-school security awareness training could have helped Happy Hotel's employees identify the phishing scam.