default logo

Hotel reservation company exposes data on “millions” of customers

Prestige Software, a hotel reservation platform used by, and Expedia, left data belonging to ‘millions’ of guests exposed on an improperly configured Amazon Web Services (AWS) S3 bucket .

According to Planet Website, the highly sensitive information dates back to 2013. He reports that the Spanish company, which sells a channel management platform called Cloud Hospitality that allows hotels to automate their availability on online booking sites, was storing years of hotel clients and travel agents. data without any protection in place.

As a result, Prestige Software exposed more than 10 million individual log files in total. Each of these recordings exposed sensitive and personally identifiable information (PII), including names, email addresses, national ID numbers, phone numbers, booking information, and credit card details. , including CVV and expiration date.

Planet Website reports that the S3 bucket contained over 180,000 records for the month of August 2020 alone, despite hotel bookings worldwide being at their lowest for that time period.

However, it is difficult to say how many people have been affected due to the amount of data exposed. The report notes that the actual number of people exposed could be much higher than the number of bookings recorded, as many data logs contained PII data for many people on a booking.

While the extent of the data breach remains unknown, it could pose risks all too common with hotel data exposure, such as credit card fraud, identity theft, and phishing scams. The authors could even use the data to steal someone else’s reservation.

Planet Website said the hole was closed a day after informing AWS of the exposure, adding that Prestige Software had confirmed that it was the owner of the data and the party responsible for the leak.

Associated resource

Don’t Just Educate: Create Cyber-Secure Behavior

Design effective security awareness and training programs

Download now

Since Prestige Software is based in Spain, with offices in Madrid and Barcelona, ​​the company could face GDPR action due to the breach. Failure to adhere to the strict rules set out in the legislation, which includes the obligation to report the breach within 72 hours, the company could face a fine of € 20million (around £ 18million) or 4% of annual worldwide sales.

Earlier this month, the Information Commissioner’s Office (ICO) fined Marriott International £ 18.4million for a data breach that affected 339million guest records in the world.

Featured Resources

The Total Economic Impact ™ of Dell EMC PowerScale Storage Deployment

Cost savings and business benefits of deployment

Free download

The Definitive Guide to Cloud Migration

Migrate applications to the public cloud with multi-cloud infrastructure solutions

Free download

Carry out the modernization of the network for the coming decade

An IDC white paper

Free download

APEX Custom Solutions

A study of consumption models according to storage uses

Free download