Frustrated businessman sitting with his luggage showing data leak of hotel booking companies

Data Leak at Hotel Booking Companies Affected Millions of Guests

Sensitive data, including credit card details, for over 10 million travelers and guests were exposed in a massive hotel management booking platform data leak. The breach originated from a misconfigured Amazon Web Services (AWS) S3 bucket used for storing data by the hotel management system owned by the Spanish tech firm, Prestige Software. The breach affected several hotel booking companies that use the platform, including Expedia and Booking.com. Individuals who used these booking services since 2013 risk identity theft, scams, credit card fraud, vacation-stealing, and blackmail.

Another booking platform, RedDoorz, also disclosed that it suffered a data leak after a database containing 5.8 million user records is put on sale on a hacker forum.

Hotel booking companies affected by Prestige Software data leak

The Prestige data leak affected all hotel booking companies connected to the company’s Cloud Hospitality platform. The hotel booking companies use the system to integrate their reservation systems with online booking websites, allowing them to synchronize bookings and rooms’ availability on multiple platforms.

The data leak affected major hotel reservation platforms, including Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre, among others. Although the individual hotel booking companies were affected, they were not responsible for the data exposed.

Details exposed in Prestige Software data leak

Website Planet’s security team said that 24.4 GB of data was exposed in the hotel booking companies’ data leak. The number of customers affected was likely above 10 million since many records grouped multiple guests in a single reservation. Some of the data leaked goes back to 2013, but the bucket was still active with over 180,000 records from August 2020 alone.

The security firm said that Prestige Software was storing hotel guests and travel agents’ credit card data without any protection, putting millions of people at risk of online fraud.

The records contained names, phone numbers, email addresses, national ID numbers, credit card numbers, cardholder names, CVVs, and expiration dates.  Other details, such as the total cost of hotel reservations, stay dates, reservation numbers, guests’ special requests, number of hotel room occupants, names of the guests, among other details were also exposed. Website Planet’s security researchers directly contacted AWS to report the data leak, and the bucket was secured a day after.

Prestige Software’s spokesperson Jose Hernández told The Independent that the data was “visible for a very limited time” and that only Website Planet accessed it during that time. Hernández added that Prestige Software notified all the affected hotel booking companies about the leak.

However, Gurucul CEO Saryu Nayyar, believes that threat actors could have secretly discovered the data and remained silent about it. He points out that behavioral analytics tools could have identified the misconfiguration before threat actors discovered it. Nayyar further added that third-party vendors could be the weakest link to information security of client companies.

“Working with 3rd party vendors poses a number of challenges, including making sure they are maintaining the same level of cybersecurity your own organization requires,” Nayyar says. “This exposure affects several high-profile Prestige customers. Fortunately, this was discovered by a responsible security research team.”

Expedia said that the leak did not originate from its systems and that it was redirecting all queries to Prestige Software.

Consequences of the Prestige Software data leak

The affected guests may be vulnerable to various forms of cyber attacks, including phishing scams and identity theft. Attackers could use the details of hotel stays to create convincing phishing messages and trick the victims into clicking on malicious links and downloading infected email attachments.

Additionally, they could blackmail hotel visitors by threatening to release details of embarrassing hotel stays. Although no exploit of the data has been detected, Website Planet researchers said that cybercriminals could have stolen the data before the breach was discovered.

Prestige Software may also face tough sanctions and massive fines from the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS). It could also lose its ability to accept and process credit cards, which will in turn affect many hotel booking companies that rely on its services to process hotel reservations.

Point3 Security VP of Strategy Chloé Messdaghi says that most hotels lack IT security teams that could help them determine the safety of third-party vendors.

“Many hotels don’t have IT security personnel on their team, which would be the team that would be tasked with determining the safety of any third-party platform. Keeping your own ecosystem safe is one thing – investigating the third parties that your organization works with is a whole other necessary task.”

RedDoorz database sold on hacker forum

Another booking platform, RedDoorz, disclosed that it suffered a data breach in September 2020 after an attacker accessed its online database. Unlike the Prestige Software’s data leak, RedDoorz exposure did not include any financial information.

RedDoorz is a Singapore-based hotel management and booking platform with over 1,000 properties across Southeast Asia.

Although not responsible for the #dataleak, booking platforms affected include Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees and Sabre. #cybersecurity #respectdata Click to Tweet

Last week, the database containing 5.8 million user records was put on sale on a hacker forum. The threat actor shared a sample containing the table structure and data records of 587 users. The data included users’ full names, gender, phone number, secondary phone number, date of birth, email, bcrypt hashed passwords, profile photo’s link, and their occupation. BleepingComputer verified that the information released by the hackers corresponded to that of RedDoorz users.