The list of online booking sites affected by the breach includes some of the top industry giants including Booking.com.
A Barcelona, Spain-based software firm called Prestige Software has been caught exposing sensitive, private, and financial data of millions of customers around the globe.
In particular, customers from Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and several others are among the unsuspected victims of the data breach.
The exposed database was originally identified by researchers at Website Planet who noticed a misconfigured AWS S3 bucket owned by Prestige Software was left open for public access without any security authentication.
The researchers analyzed the bucket and concluded that it contained 24.4 GB worth of data totaling more than 10 million files.
It is worth noting that Prestige Software provides a channel management platform called Cloud Hospitality to hotels that handle and automate room availability on top booking sites.
In this case, the software firm was storing credit card data of travel agents and hotel customers without any security measures. As a result, personal and financial data of customers dating as far back as 2013 was exposed online.
According to a report compiled by Mark Holden from Website Planet, the exposed data belonged to hotel guests and contained the following:
Hotel reservation number
Date and duration of stay
Credit card numbers including owner’s name, CVV code, and card expiration date.
We didn’t review all the files exposed in the S3 bucket, so this isn’t a complete list. Every website and booking platform connected to Cloud Hospitality was probably affected. These websites are not responsible for any data exposed as a result, Holden stated in his report.
Since Prestige Software is based in Europe and exposed data belongs to people around the globe including citizens of European citizens; the company should gear up for hefty GDPR fine and penalty.
The database was detected in mid-July 2020 and led to hundreds of thousands of open systems. This, understandably, took months to analyze.
“We can safely say it was exposed from at least mid-July until it was reported to the AWS team in September,” Website Planet told Hackread.com
As for affected customers, it is unclear whether your data was access by third-party with malicious intent. However, as seen recently, cybercriminals have been scanning for exposed databases, stealing the data and selling it on dark web marketplaces, or leaking it on hacker forums for free download.
One such case was reported a few months ago when personal details and phone numbers of 42 million Iranians were exposed on a misconfigured server and ended up on the dark web and a hacker forum for sale within days.
In another case, Hackread.com reported that a misconfigured database exposed the personal information of 267 million (267,140,436) Facebook users in December 2019. A year later in April 2020, the same database was being sold for $600 (€549 – £492) on a hacker forum.