IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hotel booking firm exposes data on "millions" of guests

Reservation platform used by Hotels.com, Booking.com and Expedia left sensitive data exposed on a misconfigured AWS S3 bucket

The homepage of the official website for Hotels.com, a site for booking hotel rooms online,

Prestige Software, a hotel reservation platform used by Hotels.com, Booking.com, and Expedia, left data belonging to “millions” of guests exposed on a misconfigured Amazon Web Services (AWS) S3 bucket.

According to Website Planet, the highly-sensitive information dates back as far back as 2013. It reports that the Spanish company, which sells a channel management platform called Cloud Hospitality that allows hotels automate their availability on online booking websites, was storing years of hotel guest and travel agent data without any protection in place.

As a result, Prestige Software exposed over 10 million individual log files in total. Each of these records exposed sensitive and personally identifiable information (PII), including names, email addresses, national ID numbers, phone numbers, reservation information, and credit card details, including CVV and expiration date.

Website Planet reports that the S3 bucket contained over 180,000 records from August 2020 alone, despite global hotel bookings being at an all-time low for this period.

However, it's difficult to say how many people were affected due to the amount of data exposed. The report notes the actual number of people exposed could be much higher than the number of reservations logged as many of the data logs contained PII data for numerous people on one booking.

While the scope of the data breach remains unknown, it could lead to all too common risks with hotel data exposures, such as credit card fraud, identity theft, and phishing scams. Perpetrators could even use the data to steal someone else's reservation.

Website Planet said the hole was closed a day after telling AWS about the exposure, adding that Prestige Software confirmed it was the owner of the data and the party responsible for the leak.

Related Resource

Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes

How to define effective security awareness and training programmesDownload now

Due to the fact that Prestige Software is based in Spain, with offices in Madrid and Barcelona, the company could face GDPR action as a result of the breach. If it failed to follow the strict rules set out within the legislation, which includes a requirement to report the breach within 72 hours, the company could be fined €20 million (about £18 million) or 4% of annual global turnover.

Earlier this month, the Information Commissioner's Office (ICO) hit Marriott International with an £18.4 million fine for a data breach that affected 339 million guest records worldwide.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022