Particle.news

Download on the App Store

Numa Closes Data Leak That Exposed 500,000 Guests, Retains Digital ID Check-In

The chain alerted data protection authorities after fixing a security flaw that exposed names, addresses and sensitive ID numbers.

Image

Overview

  • The vulnerability was uncovered by Chaos Computer Club spokesman Matthias Marx during a Berlin self-check-in when he manipulated invoice links to access other guests’ documents.
  • As many as 500,000 stays between January 2024 and June 2025 may have been affected, exposing names, addresses, booking information and ID details.
  • Numa swiftly patched the security gap and reviewed log files, finding no indication that the flaw had been exploited beyond the CCC’s discovery.
  • The hotel operator informed the Berlin data protection authority and reached out to customers whose data could have been accessed.
  • Critics say Numa’s insistence on digital ID uploads for self-check-in is unjustified under German law, which dropped ID requirements for hotel stays in January 2024.