Hotel Booking Firm Leaks Data on Millions of Guests


Level 68
Content Creator
Malware Hunter
Aug 17, 2014
A hotel software provider has exposed the personal data of millions of guests around the world after misconfiguring an AWS bucket, according to a new report from Website Planet.

The tech site’s security team discovered an exposed cloud database belonging to Spanish developer Prestige Software, whose platform enables hotels to automate their availability on booking websites like Expedia.

The misconfigured S3 bucket contained over 10 million individual log files, dating back to 2013. Website Planet researcher, Mark Holden, warned that the total number of affected individuals could be even greater than this, as some logs contained personally identifiable information (PII) for multiple members of a single booking.

Among the leaked data were full names, email addresses, national ID numbers and the phone numbers of hotel guests. For hundreds of thousands of individuals card booking details including card number, cardholder’s name, CVV and expiration date were also exposed.
“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” argued Holden.
“So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”