A cloud misconfiguration affecting users of a popular reservation platform threatens travelers with identity theft, scams, credit-card fraud and vacation-stealing.
A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records involved in the data breach include sensitive data, including credit-card details.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket. Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said.
Some of the records go back to 2013, the team determined – but the bucket was still “live” and in use when it was discovered this month.
“The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks,” according to the firm, in a recent notice on the issue. “The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”
The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more.
“Every website and booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. “These websites are not responsible for any data exposed as a result.”
Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail and extort them.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial well-being of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage people to click on malicious links, download malware or provide valuable private data.
As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped, researchers noted.
“The international travel and hospitality industries have been devastated by the coronavirus crisis, with many companies struggling to survive, and millions of people out of work,” researchers said. “By exposing so much data and putting so many people at risk in such a delicate time, Prestige Software could face a PR disaster due to this breach.”