Data Breach Exposes Millions of Hotel Customers’ Sensitive Information
A significant data breach at Prestige Software, a provider of hotel reservation systems, has potentially compromised the sensitive information of millions of hotel customers. The breach was uncovered by cybersecurity research firm Website Planet, which reported that the company’s Cloud Hospitality system had been storing years’ worth of unprotected credit card information and personal customer data, leaving it vulnerable to unauthorized access.
The data leak involves critical information dating back to 2013. It includes not only credit card numbers and CVV codes but also full names, addresses, identification numbers, and comprehensive details about customer reservations. This exposure heightens the risks of fraud and cyberattacks for millions of individuals who have booked hotels through major online platforms like Booking.com and Expedia, both of which rely on Prestige Software’s systems.
Website Planet identified that the data was stored on a misconfigured Amazon Web Services (AWS) S3 bucket, which lacked proper security measures. This oversight represents a breach of the Payment Card Industry Data Security Standard (PCI DSS), which mandates strict guidelines for the storage of credit card information. The exposed log files numbered over 10 million, signaling a considerable amount of data at risk.
By improperly securing sensitive data, Prestige Software not only jeopardized the security of consumers but also potentially influenced the reputation and operational integrity of other companies utilizing its Cloud Hospitality platform. Notable travel industry players such as Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, and Sabre may also find their customers’ data at risk due to this security flaw.
The complexities of the breach suggest potential adversary tactics that could have been employed during the incident. According to the MITRE ATT&CK framework, techniques such as initial access, where attackers exploit misconfigurations in cloud services, could explain how the data was exposed. Similarly, persistence tactics could have been used to maintain access to the unsecured data.
Ray Walsh, a digital privacy expert at ProPrivacy, highlighted the staggering scale of individuals impacted by this breach. With the potential misuse of exposed data for phishing scams or identity theft, the stakes for affected customers are high. Although no evidence suggests that cybercriminals had accessed the exposed data prior to its discovery by Website Planet, the firm advises those impacted to engage directly with the affected service providers to ensure their data is secure.
Prestige Software’s product manager, Jose Hernández, stated that the company is taking the incident seriously, implementing corrective measures to prevent future occurrences. He emphasized that there was no unauthorized entry into their systems but rather a momentary exposure of data that went undetected. The ongoing assessment by their technical team seeks to clarify the incident’s scope and impact on users.
In response to these revelations, spokespeople from Expedia Group and Booking.com reassured customers that their systems were not compromised and directed inquiries regarding the incident to Prestige Software. They emphasized proactive communication with clients regarding necessary protective measures and updates on the situation.
As this incident unfolds, it serves as a critical reminder for organizations in the travel industry and beyond about the importance of robust cybersecurity practices. Given the widespread implications of such data breaches, all businesses must prioritize the safeguarding of sensitive information to mitigate risks associated with cyber threats.
