More than 10 million hotel booking files could be accessed because a cloud server was misconfigured. Numerous personal data were on the street as a result. The data was managed by the Spanish company Prestige Software and worked with Booking.com and Expedia, among others. Immediately after this became known, Amazon plugged the hole.
So writes Website Planet's security team. According to the staff, it involves 24.4 GB of log files that contain a wealth of information about hotel bookings. This includes not only recent bookings: the data goes back to 2013.
Prestige Software, which operates out of the Spanish capital Madrid, stored hotel visitor data for years. To do so, it used Amazon Web Services Simple Storage Service, or AWS S3 for short. However, this was set up incorrectly, allowing hackers and cybercriminals to get their hands on numerous personal data. They collect this information to resell or commit identity fraud. For example, it was theoretically possible to change a hotel reservation so that they themselves could go on vacation at the expense of the original hotel guests.
Even worse: the data was not secure. Screenshots show that the data was stored in plaintext. First and last names, address details, passport numbers, e-mail addresses and credit card information were therefore child's play to read: you only had to find the right string. Details for hotel reservations were also out in the open. In the log files, you could see in no time which hotel someone had booked at, as well as for how many nights, what a hotel room cost per night, and whether they had additional requirements.
Website Planet says the misalignment and non-secure storage of personal data exposed 24.4 GB of log files. How many hotel visitors suffered as a result is unclear, but the site says it involves hundreds of thousands of households and millions of customers worldwide. Between January and August 2020 alone, the cloud server contained more than 180,000 log files containing privacy-sensitive details. And that's just this year. According to Website Planet's security team, the data goes back to 2013.
Prestige Software offers a channel management platform called Cloud Hospitality. Hotel owners can use this platform to report how many rooms they have available in what time period to parties such as Booking.com, Expedia, Hotels.com, Agoda and numerous other booking websites. If someone books a hotel room on one website, it is no longer available from other providers. Cloud Hospitality is used by the largest hotel booking websites and (online) travel agencies.
It is unknown how long the data was accessible and on what scale it was downloaded by hackers. What is clear is that Prestige Software violated the PCI DSS. That stands for Payment Card Industry Data Security Standard. This is an information security standard for organizations that do business with credit card companies and process and store their data. Depending on how many credit card transactions an organization processes, the more stringent the security rules.
The data breach is also a violation of the General Data Protection Regulation (AVG). This sets strict requirements for processing personal data and requires companies to take technical and organizational measures to ensure customer security and privacy. If companies fail to do so, they risk sky-high fines of up to 4 percent of global sales. In addition, the AVG states that organizations facing a data breach must report it to the national regulator. The latter, in turn, determines whether to investigate and whether there is a penalty for the breach.
Website Planet writes that because of its nature and sensitivity, it immediately contacted Amazon when it stumbled upon the leak. The retailer took immediate action: days after the report, the AWS S3 Bucket was no longer accessible to anyone. Website Planet determined that the data was authentic by using some leaked email addresses and emailing their owners.
Prestige Software acknowledged to the site that it owns the data. However, it has not released a press statement explaining more about the data breach. Website Planet advises anyone who has done business through one of the affected booking agencies in the recent past to contact the company. They can provide text and explanation on the next steps.
Hotel chain Marriott was also hit by a major data breach several years ago. In 2014, hackers managed to gain access to the servers of the hotel group Starwood Hotels. In the process, they managed to capture personal data such as name, residential address, e-mail address and credit card number of 500 million former guests. Two years later, Marriott bought Starwood Hotels. The large hotel chain was thus responsible for handling the data breach. However, Marriott employees did not learn of the data breach until 2018.
The Information Commissioner's Office (ICO) investigated the incident. According to the privacy watchdog, the Marriott had not investigated the matter thoroughly enough and had not adequately secured its systems. In late October, the regulator decided to fine the Marriott 18.4 million pounds, or 20.5 million euros. "When a company fails to take proper care of its customers' data, a fine is the least of its worries. What matters most is that it has a duty to protect this data," the ICO said.
