Aman Luxury Hotel Chain Exposes 215,563 Guest Records via Salesforce CRM Leak
What Happened – In April 2026, the ultra‑luxury hotel brand Aman was targeted in a “pay‑or‑leak” extortion campaign. Threat actors, identified as ShinyHunters, claimed to have stolen data from Aman’s Salesforce CRM and publicly released over 215 k records containing emails, phone numbers, addresses, dates of birth, gender, nationality, spouse names and VIP status codes.
Why It Matters for TPRM –
- Personal data of high‑net‑worth guests is now publicly searchable, increasing fraud and spear‑phishing risk.
- The breach originated from a third‑party SaaS platform (Salesforce), highlighting supply‑chain exposure.
- Regulatory obligations (GDPR, CCPA, PCI‑ DSS for payment data) may trigger notification and fines.
Who Is Affected – Hospitality & luxury travel sector; CRM service providers (Salesforce).
Recommended Actions –
- Review all third‑party SaaS contracts for security clauses and breach‑notification obligations.
- Verify that Aman’s data‑processing agreements with Salesforce include appropriate safeguards.
- Require immediate password rotation and enforce MFA for all privileged accounts.
- Conduct a targeted phishing‑simulation campaign for affected guests and staff.
Technical Notes – The leak appears to be the result of a compromised Salesforce admin account or mis‑configured API access, rather than a disclosed vulnerability. No CVE is associated. Exfiltrated data includes PII (email, DOB, address, phone, gender, nationality, spouse name, VIP codes). Source: Have I Been Pwned – Aman breach