A hotel software vendor exposed the personal data of millions of customers around the world after misconfiguring an AWS bucket, according to a new report from Website Planet.
The tech site’s security team discovered an exposed cloud database owned by Spanish developer Prestige Software, whose platform allows hotels to automate their availability on booking sites like Expedia.
The misconfigured S3 bucket contained over 10 million individual log files, dating back to 2013. Website Planet researcher Mark Holden warned that the total number of affected individuals could be even greater than that, as some logs contained personally identifiable information (PII) for several members of the same reservation.
Among the leaked data were the full names, email addresses, national ID numbers and phone numbers of hotel guests. For hundreds of thousands of people, the details of the card reservation including card number, cardholder’s name, CVV and expiration date were also on display.
The Prestige Cloud Hospitality platform appears to be used by many online travel agency (OTA) sites, including Agoda, Expedia, Booking.com, and Hotels.com.
Website Planet contacted AWS directly to disclose the incident, which was corrected the next day. Prestige Software also confirmed to him to be the owner of the data.
The leaked information could have offered malicious third parties a mine of data to commit identity fraud, launch follow-up phishing attacks, and even hijack and modify reservation details.
As a result, the Spanish developer may be faced with questions from GDPR and PCI DSS investigators about the incident.
“Millions of people have been potentially exposed to the data breach, around the world. We can’t guarantee that someone hasn’t already accessed the S3 bucket and stolen the data before we found it, ”Holden explained.
“So far there is no evidence that this is happening. However, if this were the case, there would be huge implications for the privacy, security and financial well-being of those exposed. “