In a statement, the company said the breach was due to a third-party vendor who "copied the impacted data from our environment without authorization" and moved it to its server.

Choice went on to say that, in the process, the third party's server was accessible from the internet for a few days.

Choice said that while much of the data was fake, some guest information such as names, addresses, phone numbers and email addresses was included in the data.