Taj Hotels, a luxury hotel chain and a subsidiary of the Indian Hotels Company Limited (IHCL), has reported a data breach that resulted in the compromise of the personal information of approximately 1.5 million people. Dnacookies—the threat actor behind the incident—has claimed to exfiltrate the company’s sensitive data. That includes customer contact details, addresses, membership IDs, and other personally identifiable information (PII).
The massive data breach occurred earlier this month. It has raised grave concerns among the customers and all stakeholders involved, reported The Economic Times.
The cybercriminal demanded $5,000 (around Rs 4.16 lakh) in exchange for the command over the full dataset. The hacker claimed to have accessed customer data from Taj Hotels between 2014 and 2020.
On November 5th, a threat actor confirmed on the black-hat hacking cybercrime marketplace, BreachForums, that customer data has not been exposed on the dark web. In that post, Dnacookies also shared a sample of the stolen data containing 1,000 rows of unique entries.
The attacker set three conditions for the ransom: a) an administrator must be present during negotiations, b) no dividing the data, and c) no more data samples will be given.
In response to the data exfiltration, the IHCL rolled out immediate investigations. A spokesperson from the company confirms that the systems are being rigorously monitored to prevent further repercussions. The company ensures that “there is no suggestion of any current or ongoing security issue or impact on business operation.”
IHCL stressed that “safety and security of customers’ data is of paramount importance.” The company also added that the “limited amount of data” the threat actor has stolen is “non-sensitive in nature.”
With the cyber threat landscape evolving in sophistication and complexity, there has been a sharp rise in data breaches. It means cyber criminals are continuously tracking down security vulnerabilities to exploit and turn them into data breaches.
For example, in September, the cybercrime gang BianLian infiltrated the IT systems of Save the Children International. This is the world’s leading nonprofit operating in 116 countries with $2.8 billion in revenues. Around 6.80 terabytes of its business-critical data was exfiltrated and exposed. The miscreants claimed this also contained 800+ gigabytes of financial, health and medical records.
Needless to say, the ramifications of a data breach could result in serious repercussions. These include loss of customer confidence, damage to brand reputation in the long term, and more.
In addition, data breaches can set businesses back millions. In 2023, the global average cost of a data breach was over $4.45 million—a jump of 15% over 3 years.
Data breaches have the potential to render catastrophic consequences. The fear of these repercussions is pushing businesses to implement Data Security Posture Management (DSPM) strategies. High-end services such as BigID implement proactive DSPM approaches. These protect the company’s mission-critical data regardless of whether it’s stored on-premise, scattered amongst several data repositories, or in the hybrid and multi-cloud.
Sohela is an electrical engineer and a self-professed writer with a keen interest in all things tech. When she’s not writing killer content pieces, you’ll find her enjoying tempting foods in her favourite restaurants.