Taj Hotels faces data breach, 15 lakh customers' personal details at risk

Taj Hotels has fallen victim to a data breach, potentially exposing the personal information of 15 lakh individuals. The breach involves a threat actor identified as "Dnacookies," who has reportedly demanded $5,000 for the complete dataset, encompassing addresses, membership IDs, mobile numbers, and other personally identifiable information.

Indian Hotels Company Ltd (IHCL) runs a number of hospitality properties under the Taj, SeleQtions, Vivanta, and Ginger, among others. Indian Computer Emergency Response Team (CERT-In), the official cybersecurity agency, too is said to be aware of the breach.

"We have been made aware of someone claiming possession of a limited customer data set which is of non-sensitive nature," Indian Hotels Company Ltd (IHCL) spokesperson said in a statement. Asserting that safety and security of customers' data is of paramount importance to the company, the spokesperson said, "We are investigating this claim and have notified the relevant authorities." The spokesperson further said, "We continue to monitor our systems and there is no suggestion of any current or ongoing security issue or impact on business operations."

According to the report, the threat actor posted on BreachForums stating that the customer data spans from 2014 to 2020, emphasizing that the information has not been shared with anyone thus far. The individual outlined three specific demands related to any potential deal. The report also asserted that both the cybersecurity watchdog and the Indian Computer Emergency Response Team (CERT-In) have been made aware of the data breach.

The hackers have stipulated three conditions for any potential deal, as outlined in the report: 
1. A negotiator is required to reach a consensus and the person should be an administrator on the forum.
2. No splitting of data will be allowed; it’s all or nothing.
3. No additional samples (of data) will be provided.