Choice Hotels Data Breach Exposes Sensitive Personal Information

On Jan. 14, 2026, Choice Hotels International, Inc., a major hospitality franchisor, experienced a data breach involving sensitive personal information of franchisees and franchise applicants. According to regulatory filings, a skilled individual used social engineering tactics to bypass security measures and gain unauthorized access to an internal application that stored records about these individuals.

Notably, this breach occurred even though the application required multifactor authentication (MFA), highlighting the sophistication of the attack.

Choice Hotels detected the intrusion and shut down the unauthorized access in less than an hour.

A thorough investigation followed, and by Jan. 26, 2026, the company determined that the accessed records contained names, contact information, Social Security numbers and dates of birth.

The breach specifically impacted at least 66 Maine residents and 67 New Hampshire residents, as disclosed to the Maine Attorney General and the New Hampshire Attorney General. The company also notified the attorneys general of California and Vermont.

The total number of people affected in the United States was not specified in the filings, but the incident was limited to franchisees and franchise applicants, not hotel guests.

Choice Hotels International's response

To support those impacted, Choice Hotels is offering two years of complimentary credit monitoring and identity protection services through Epiq Privacy Solutions ID. This service includes three-bureau credit monitoring, annual credit reports and scores, $1 million in identity theft insurance, dark web monitoring, lost wallet assistance and dedicated identity restoration specialists.

Affected individuals are encouraged to enroll in these services and to monitor their credit reports for any unusual activity.

Given that the breach involved a targeted social engineering attack that defeated MFA, affected individuals should be especially cautious about phishing attempts or suspicious communications.

It is advisable to place a fraud alert or security freeze on credit files, review account statements regularly and report any signs of identity theft to the Federal Trade Commission or local law enforcement.