Data Breach Alert: Taj Hotels Group Faces a Digital Invasion

Mr. Neeraj Soni
Mr. Neeraj Soni
Researcher - Policy & Advocacy, CyberPeace
Nov 25, 2023


Taj Hotels Group is well known for its luxurious ambience and old-world grace and charm, blended with contemporary comforts and amenities for its guests or customers. But what can make all the netizens perplexed is the recent data breach incident which took place in Tata-owned Taj hotels. The hotel suffer from a data breach that compromises nearly 1.5 million customers' data which includes addresses, membership IDs, mobile numbers and other personally identifiable information, according to sources. This news was brought to light which raised concerns about the privacy and data protection of personal data of individuals. We are living in a space influenced by advanced technology and digital communication which throws a concern or challenge to secure the personal information of individuals. 

Unveiling the incident 

Tata-owned Taj Hotels group has suffered a data breach that compromise information of over 1.5 million customers, according to a news report. A bad actor or entity going by the name “Dnacookies” claimed data set contains data from the 2014-2020 period and has not been disclosed anywhere till now. Such personal data includes name, address, customer ID, mobile number and other personally identifiable information. This shows the risks or challenges of data protection and security. The incidents raise an alarm about the risks and vulnerabilities that might be faced even by the big corporate giants. The bad actor with the handle “Dnacookies” also demanded a ransom of a sum of about Rs 4.16 lakh from the Taj hotel group. In response to the incident, a spokesperson from the concerned hotel group said that we have been made aware of someone claiming possession of a limited data customer data set, which is non-sensitive in nature. Investigation is underway and relevant authorities have been notified about the incident.

A demand for ransom

The report from CNBC-TV18 clears that the bad actor not only purloined the data but also demanded around 4.16 lakh as a ransom for the database.  Along with this, the bad actor kept three conditions ahead. Firstly there has to be a middleman for a negotiable deal secondly the data cannot be split either the entire data has to be taken with the ransom demand or no data at all. Thirdly additional samples of data will not be provided. Further, the spokesperson of Indian Hotel Company Limited mentioned that they have been escalated with the fact that someone is claiming authority in a limited data set. The bad actor claimed that the database contains information from 2014- 2020 which has been kept confidential till now. The audacity of the bad actor went to such an extent that the sample containing one thousand rows of unique entries from the bad actor dataset was also provided by the bad actor as proof of the deed. This incident underlines the growing threat in cyberspace and the urgency for individuals, organizations or entities to priorities data security measures and maintain cyber resilience.

Personal Data on Stake

Such data is the personal information of the individuals and also constitutes the personal tastes and preferences of individuals which can be exploited. The biggest gush of winds the hotel and individuals face by such a data breach is not only the volume of data compromised but also the potential ways it can get misused and exploited against the hotel or its customers by cyber crooks. This paves the way for cybercriminals to put forward any demand knowing the sensitivity of the data. Followed by creating a dilemmatic situation for the affected entities to either accept the ransom demands or to stand against ransom. Since the risks are high, going ahead with any of these situations can have an adverse impact on the security of personal data. The organisation or entities holding the personal data need to make sure that data under their realm is well protected and secured.

While the organisation has to sail through the aftermath of this breach, such incidents also pose a challenge for the organisation to maintain the trust and reputation of the organization since these incidents question the cyber security posture of the organisation. It is suggested to be transparent with its stakeholders, and open about the vulnerabilities and steps taken against this. They should also discuss the amplified step added for safeguarding their customer's personal data. Since Taj is well known for its out-of-the-box luxury and for providing comfort to its customers it should take a step ahead to reinforce its digital infrastructure to ensure the security of data.

Digital Personal Data Protection Act, 2023

The newly enacted Digital Personal Data Act, 2023 put certain obligations on data fiduciaries to take reasonable measures to maintain the security of personal data. The Act also requires to inform about the data breach to the data protection board constituted under the Act. The Act aims to protect the individual's digital personal data. The Act casts certain obligations on data principals and data fiduciaries. The Act provides penalty upto 250 crores in case of a data breach. The Act aims to provide consent-based data collection techniques. The Act also establishes the Data Protection Board to ensure compliance with the provisions of the Act and address grievances. 


Data breach in such a big giant in the market serves as an alarming concern to be more cautious and proactively take precautionary measures to protect the security of data and compliance with data protection laws and regulations. We are living in an era where digital security is as important as the basic fundamental rights of an individual. Taj Hotels Group has actively taken steps to handle the aftermath of the data breach by informing the incident to law enforcement agencies and taking necessary steps.  It is also on our part to be more aware, and vigilant about our personal data. Entities need to ensure compliance and measures to protect personal data and overall ensure a true cyber-safe & digital environment.


Nov 25, 2023
No items found.

Related Blogs