Hotel management platform Otelier has confirmed a data breach that compromised millions of hotel guest records from hospitality establishments such as Marriott, Hilton, and Hyatt.
Otelier claims its cloud-based hotel management software handles operations across over 10,000 properties.
The attack occurred between July 2024 and October 2024 when a threat actor breached the hotel platform’s Amazon AWS S3 buckets using compromised employee credentials and exfiltrated 7.8 terabytes of customer data.
Otelier hotel guest records data breach exposed the PII of millions of customers
Details leaked in the Otelier data breach include the impacted establishments’ documents containing reservations, transaction information, employee emails, and internal documents.
The files contained hotel guest records containing personal information, including the names, email addresses, phone numbers, and addresses of millions of customers. The data breach seemingly did not expose the victims’ account passwords.
However, according to the data breach tracking platform Have I Been Pwned (HIBP), in a “small number of cases, partial credit card data” was also exposed.
Armed with booking information that includes email addresses and phone numbers, the attackers could compromise the victims via targeted phishing attacks and lure them into disclosing other sensitive details, such as full credit card information.
HIBP says at least 39 million reservation records and up to 212 million user records were compromised, highlighting the scope of the incident.
However, the hotel guest information was highly duplicated, with only as many as 1.3 million unique email addresses exposed.
“The data included 437k customer email addresses (a further 868k generated email addresses from the booking.com and Expedia platforms were not loaded into HIBP)…,” Troy Hunt’s site stated.
Meanwhile, Otelier says it has implemented additional cybersecurity measures to prevent future breaches and was in contact with impacted victims. It also hired leading external cybersecurity experts to conduct a forensic analysis and validate its systems to rule out further threat actor activity.
Nonetheless, the hotel platform believes the threat actor’s access was successfully terminated. Additionally, the hospitality cloud solutions provider terminated the compromised accounts involved in the cyber attack as a precautionary measure.
The attacker says they breached the hotel platform’s Atlassian server using an employee’s compromised credentials stolen via info-stealer malware.
They then leveraged the stolen credentials to scrape data that contained the hotel platform’s S3 login credentials. The threat actor says millions of documents belonging to Marriot were compromised during the cyber attack.
Meanwhile, the impacted hotels have also taken additional security measures to protect their hotel guest data by suspending automated Otelier services impacted by the data breach.
Similarly, the threat actors have reportedly demanded an unspecified ransom amount to avoid publishing the stolen information online.
Marriott was recently hit with a hefty FTC penalty for its alleged failure to prevent data breaches that affected over 340 million individuals.
The hospitality industry is under attack
The hospitality industry has become an attractive target for threat actors interested in harvesting troves of personal information, including that of wealthy clients, who are the preferred targets of cyber extortion.
MGM Resorts suffered a data breach in 2019 and a ransomware attack in 2023, resulting in a $45 million settlement to terminate related class action lawsuits stemming from both cyber incidents, which exposed over 10.6 million hotel guest records.
In 2014 and 2015, Hilton Hotels also suffered data breaches that resulted in a $700,000 settlement after exposing 363,000 hotel guest accounts.
Hyatt Hotels also suffered a data breach between March 18, 2017, and July 2, 2017, that compromised hotel guests’ credit card information. In 2015, the hotel chain also suffered a data breach involving a credit card skimmer that affected 250 hotels in about 50 countries.