Hotel involved in the alleged lack of data protection measures

including name, date of birth, ID number, address, mobile phone number and other young women data nearly 30,000 easy to trigger fraud and reputation infringement

Legal Evening News (reporter Mao Jianyu intern Sheber) Leakage of personal stay information, including name, sex, date of birth, ID card number, address, mobile phone number, work units and other information, someone made "2000W Open room Data" file uploaded to the network, netizens to the frequency of nearly 40,000 times a day to download.

"Legal Evening News" reporter statistics found that 20 million hotel personal stay information, Beijing People's information has 220,754.

The leakage event is due to many hotels using the hotel Wi-Fi management and certification system developed by Zhejiang Hui-da Station company, and the company has low encryption level, which leads to information leakage events.

Extended Interview

Involved network company for 4,500 hotel services

"2000W Room Data" file, there is no indication of the name of the hotel to stay. But the official website of Zhejiang Hui-da Station Network Co., Ltd. shows that the company's business covers more than 110 cities in 31 provinces and autonomous regions of Tibet, providing various services for more than 4,500 star and economic chain hotels.

Today, the Hui Tatsu Station Company's official website "partner" column has been unable to click into. But the text in the "Company Introduction" column shows that the company is the only designated supplier for the Home digital room.

The first disclosure of the issue of the domestic security vulnerability monitoring Platform Cloud Network, has released a screenshot, above is with Zhejiang Hui Tatsu Station Company cooperation part of the economic chain hotel list, including such as home, Han Court, Greentree, pudding, Jinjiang star 20.

Morning, Jinjiang star, Pudding and Greentree Inn hotel All told reporters that its Wi-Fi certification, management system is not with Zhejiang Hui Tatsu Network Co., Ltd. established cooperation.

Greentree also said that its Wi-Fi certification, management system is its own research and development, its former and Hui Tatsu Station company has been outside the network of cooperation, cloud network Although the disclosure of the list of cooperation hotels screenshot, but can only explain that Hui Tatsu Station company with its various types of cooperation in hotels are listed up.

Reporter Morning also contacted such as Home Hotel, but customer service staff to provide the company switchboard number, the reporter repeatedly dialed no one to answer.

There are 220,754 hotel information in Beijing.

Today, "2000W open room data" can still be downloaded normally from the Internet. The Reporter downloads the data file and carries on the statistical analysis.

According to our statistics, the hotel occupancy information, residential address in Beijing has 220,754 information.

Reporter further statistics found that the hotel occupancy information in these people, involving the male occupancy accounted for more than 60%, involving female occupancy accounted for nearly 40%.

In the age of 30 to 60, Beijing males are 1.9 times times more likely to be female. But in the age of 18 to 30, Beijing men are only 1.2 times times as likely as women.

Network exposure to open room information is quite popular with netizens attention

According to the insider, "2000W Open Room Data" appeared on the internet, the frequency of nearly 40,000 times a day by people crazy download. The good person has again edited it into several versions, such as "18-30-year-old mm Open room data" and so on.

"18-30-year-old mm Open room data", contains residential address in Beijing, 18 to 30 years old female hotel check-in information 29,063.

There are a number of online site for people to check open room information, one of the Web site is "www." Zhaokaifang.com's web page is "quite popular". The reporter chooses "Zhang", "Li Gang" and so on common name inquiry, can find thousand people about. Media reports said the search sites to prevent the shutdown, have to set the server abroad, so that the police helpless.

All personal information is exposed to phone scams

Shanghai Lawyers Association Information Network and High-tech Professional Committee director Shangjiangang to the "Legal Evening News" reporter, "2000W Open Room data" at any time to the information leaked to bring various risks.

These data, in general, are used in a variety of annoying phone marketing, serious criminals are used for telephone fraud. In the case of telephone fraud, the more comprehensive the person's personal information, the more gullible the victim is.

At the same time, do not rule out malicious people will be in the Forum, micro-blog and other places to publish other people's information, infringement of other people's privacy or spread rumors of infringement of reputation

Data provider acknowledges information security vulnerabilities

Zhejiang Hui da Station Network Co., Ltd. The official website shows that the company's mission is to "improve the hotel network ecology", the vision is "to build the most applicable network platform for Chinese business traveller, become the most professional IT service provider", committed to "reduce it complexity and it costs."

After the incident, Zhejiang Hui-da Station Company issued a circular to recognize the existence of wireless system Information security encryption level is low, there is information leakage of security risks, the incident after the technical team has been a comprehensive upgrade of the system.

The company apologized to hotel customers who had leaked personal information and said the system's security issues were not related to all hotel customers.

Reporter from the National Computer Network emergency Technology Treatment and Coordination center of the United Internet enterprises, such as the establishment of the "National Information security vulnerability sharing platform", see "About Zhejiang Hui-da Station Network Co., Ltd. Wireless authentication Data Channel Server vulnerability Risk Management Bulletin."

The bulletin said that Zhejiang Hui-da Station company does exist wireless authentication data Channel Server vulnerability risk, but has been repaired and disposed of. "National information security vulnerability sharing platform" will continue to follow this matter, do a good job of emergency management.

Incident due to the hotel Wi-Fi system imperfect caused the incident

According to cloud network staff introduction, the hotel uses the Zhejiang Hui Tatsu Network Limited hotel Wi-Fi management, certification system, and the problem arises.

A professional who has long been involved in information security has told reporters that at present, almost all hotels have Wi-Fi coverage. In order to ensure a real name online, Wi-Fi at the hotel requires authentication. This information is aggregated to a network company that offers Wi-Fi services.

The source of the loophole lies in the imperfect management mechanism of the Hui-da Station, whose system requires the hotel to authenticate the website when submitting the check-in record, but not on the hotel server, but on the server of the company through Zhejiang Hui-da Station, and the latter will save the customer's information.

Zhejiang Hui Tatsu Station Company in the server real-time storage of hotel customer information, and allow the relevant objects or demand side to download, read. Although there is a password authentication, but the customer information in the data synchronization of the use of the authentication username, password is plaintext transmission, that is, in the password authentication process is not encrypted transmission data, and this can easily lead to hackers intercepted plaintext password, and then by virtue of this password to download hotel user data.

Wireless network set up input Da Hing Select Third Party service

"The Wi-Fi coverage in the hotel is a regular service with the development of the hotel industry," said Mr. Bai, manager of a network security company in Beijing.

The erection of wireless network needs base station, but the input cost is too big, still need special person maintenance. In this case, many hotel options and network service providers to provide wireless network services and servers.

White Manager believes that direct Third-party companies to manage hotel customer information, in itself increases the possibility of leaks. From the angle of information security, if the hotel chooses the way of third party service, it should increase the threshold of cooperation entry.

Hotel involved in the alleged lack of data protection measures

In the view of white manager, 20 million open room information leakage events show that the hotel industry in China's data management is not yet mature.

Professionals engaged in information security work told reporters that today many hotels are busy in happy enclosure, but neglected to stay in the management of customer personal information.

He gave the enterprise to do information security training has clearly felt that the business owner is often only concerned about the enterprise's own financial information security, but for the maintenance of other aspects of information security very disdain.

The person said that many hotels in the safety of the exclusion of the work done not in place, in the personal information data protection lack of management measures, is a key to information security incidents.

The use of Zhejiang Hui Tatsu Station Company Wi-Fi management, certification system of hotels, customers in the access to Wi-Fi, the need to log in Zhejiang Hui Tatsu Station Company's server for Web page certification.

The source said that because of system design flaws, resulting in customer information easily stolen.

The person said that if the hotel involved in the upload of customer information has strict management authority measures, can avoid the incident.

"For example, in banking, a 18-character permission operation password is administered by 3 people, each of whom knows only the 6 characters they control." When the operating system is needed, the 3 individuals enter their own password section first, and then the other people who do not have the password characters are able to perform the operation. He said, although this is cumbersome, but enough to ensure information security.

Disclosure of events or influence on the reputation of hospitality industry

Sun Tian, head of customer service at a four-star hotel in Beijing, told the Legal Evening News reporter that even if the hotel guests do not use Wi-Fi, they must register detailed customer information.

The administrative measures for the administration of hotel and guesthouse accommodation sixth stipulates that hotel reception passengers must be registered. Previously, the registration method is the front desk staff handwriting registration, and now are registered through the computer entry, the hotel's server will store this information. After registration, the guest information will be transmitted quickly to the local police station to facilitate the work of the public security organs.

As an "old man" who has worked in the hospitality industry for years, he is deeply concerned about the incident. He believes that 20 million of hotel customer information disclosure events will affect the credibility of the entire hotel industry.

Sun Tian that the hotel should pay attention to the personal information protection of the guests, the hotel should take up the personal information management work, invest the financial resources, perfect management system.