The list of online booking sites affected by the breach includes some of the major industry giants, including Booking.com.
A Barcelona, Spain-based software company called Prestige Software has been caught exposing the sensitive, private and financial data of millions of customers around the world.
In particular, customers of Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Saber and several others are among the unsuspected victims of the data breach.
The exposed database was originally identified by Website Planet researchers who noticed that an improperly configured AWS S3 bucket owned by Prestige Software had been left open for public access without any security authentication.
The researchers analyzed the compartment and concluded that it contained 24.4 GB of data totaling more than 10 million files.
It should be noted that Prestige Software provides a channel management platform called Cloud Hospitality to hotels that manage and automate room availability on top booking sites.
See: Hackers Steal Sensitive Data From Japanese Hotel Search Engine For Sex
In this case, the software company was storing the credit card data of travel agents and hotel guests without any security measures. As a result, personal and financial data of clients dating as far back as 2013 has been exposed online.
According to a report compiled by Mark Holden of Website Planet, the data exposed belonged to hotel guests and contained the following:
Network card numbers
Hotel reservation number
Date and length of stay
Credit card numbers including owner’s name, CVV code, and card expiration date.
We haven’t looked at all of the files exposed in the S3 bucket, so this is not a complete list. All websites and booking platforms connected to Cloud Hospitality have probably been affected. These websites are not responsible for the data exposed as a result, Holden said in his report.
Since Prestige Software is based in Europe and the exposed data belongs to people all over the world, including European citizens; the company should be prepared for hefty GDPR fines and penalties.
The database was discovered in mid-July 2020 and has led to hundreds of thousands of open systems. This, of course, took months to analyze.
“We can safely say that it was on display from at least mid-July until it was reported to the AWS team in September,” Website Planet told Hackread.com
As far as affected customers are concerned, it is not clear whether your data was viewed by a third party with malicious intent. However, as seen recently, cybercriminals search the exposed databases, steal the data and sell it in dark web markets, or leak it on hacker forums for free download.
One such case was reported a few months ago when the personal details and phone numbers of 42 million Iranians were exposed on a misconfigured server and ended up on the dark web and a hacker forum for sale within days.
In another case, Hackread.com reported that an improperly configured database exposed the personal information of 267 million (267,140,436) Facebook users in December 2019. One year later, in April 2020, the same database was sold for $ 600 (€ 549 – £ 492) on a hacker forum.