Sensitive data, including credit card details, of more than 10 million travelers and guests has been exposed in a massive data breach on the hotel management reservation platform. The breach came from an improperly configured Amazon Web Services (AWS) S3 bucket used to store data by the hotel management system owned by Spanish technology company Prestige Software. The breach affected several hotel reservation companies that use the platform, including Expedia and Booking.com. People who have used these reservation services since 2013 are at risk of identity theft, scams, credit card fraud, vacation theft, and blackmail.
Another booking platform, RedDoorz, also revealed that it suffered a data breach after a database with 5.8 million user records was listed for sale on a hacker forum.
Prestige Software data breach hits hotel reservation companies
The Prestige data breach affected all hotel reservation companies connected to the company’s Cloud Hospitality platform. Hotel reservation companies use the system to integrate their reservation systems with online reservation sites, allowing them to synchronize reservations and room availability across multiple platforms.
The data breach affected major hotel booking platforms including Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Saber, among others. Although the various hotel reservation companies were affected, they were not responsible for the data exposed.
Details exposed in Prestige Software data breach
Website Planet’s security team said 24.4 GB of data was exposed in the hotel reservation companies’ data breach. The number of affected customers was likely over 10 million, as many registrations combined multiple guests into a single booking. Some of the data disclosed dates back to 2013, but the compartment was still active with over 180,000 records for the month of August 2020 alone.
The security company said Prestige Software stores credit card data for hotel guests and travel agents without any protection, putting millions of people at risk of online fraud.
The records contained names, phone numbers, email addresses, national ID numbers, credit card numbers, cardholder names, CVVs and expiration dates. Other details, such as total cost of hotel reservations, dates of stay, reservation numbers, special guest requests, number of hotel room occupants, names of clients, among others details, were also exposed. Website Planet security researchers contacted AWS directly to report the data breach, and the compartment was secured the next day.
Prestige Software spokesperson Jose Hernández told The Independent that the data was “visible for a very limited time” and that only Website Planet had accessed it during that time. Hernández added that Prestige Software had informed all affected hotel reservation companies of the leak.
However, Gurucul CEO Saryu Nayyar believes threat actors may have secretly discovered the data and have remained silent about it. He points out that behavioral analysis tools could have identified the misconfiguration before the threat actors discovered it. Nayyar added that third-party vendors could be the weakest link in corporate customer information security.
“Working with third-party vendors poses a number of challenges, including ensuring that they maintain the same level of cybersecurity that your own organization needs,” says Nayyar. “This exhibition touches several prestigious Prestige clients. Fortunately, this was discovered by a responsible security research team. “
Expedia said the leak was not from its systems and was redirecting all queries to Prestige Software.
Prestige Software data breach consequences
Affected guests may be vulnerable to various forms of cyber attacks, including phishing scams and identity theft. Attackers could use details of hotel stays to craft compelling phishing messages and trick victims into clicking malicious links and downloading infected attachments.
Additionally, they could blackmail hotel visitors by threatening to divulge details of embarrassing hotel stays. Although no data exploits were detected, Website Planet researchers said cybercriminals could have stolen the data before the breach was discovered.
Prestige Software can also face stiff penalties and massive fines from the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS). It could also lose its ability to accept and process credit cards, which in turn will affect many hotel reservation companies that rely on its services to process hotel reservations.
Chloe Messdaghi, vice president of security at Point3 Security, says most hotels lack IT security teams that could help them determine the security of third-party vendors.
“Many hotels don’t have IT security staff on their team, which would be the team that would be responsible for determining the security of any third-party platform. Keeping your own ecosystem secure is one thing – investigating the third parties your organization works with is a whole other necessary task. “
RedDoorz database sold on hacker forum
Another booking platform, RedDoorz, revealed that it suffered a data breach in September 2020 after an attacker accessed its online database. Unlike the Prestige Software data breach, the RedDoorz exhibit did not include any financial information.
RedDoorz is a Singapore-based hotel management and reservation platform with over 1,000 properties in South East Asia.
Last week, the database containing 5.8 million user records was listed for sale on a hacker forum. The threatening actor shared a sample containing the table structure and data records of 587 users. The data included full user names, gender, phone number, secondary phone number, date of birth, email, bcrypt hashed passwords, profile picture link and their profession. BleepingComputer has verified that the information posted by hackers matches that of RedDoorz users.