A database belonging to Prestige Software – containing over 10 million files – has been found publicly accessible online.
Security experts working for Website Planet discovered that the Spanish software firm failed to password-protect an AWS S3 bucket that held the personal details of hotel guests dating back to 2013.
The exposed information comes from the organisation’s Cloud Hospitality platform, which is used by hotels to manage online bookings on sites such as Expedia, Booking.com and Hotels.com.
In total, 24.4 GB of data was exposed, including guests’ full names, email addresses, phone numbers and credit card details.
The error puts millions of people at risk from fraud and online attacks.
What does this mean?
Whenever there is a data breach, the immediate questions are: how damaging is this to the individuals affected and what are the implications in terms of regulatory penalties?
The scale of the incident suggests that there could be serious ramifications for both individuals and the organisation – particularly in relation to the GDPR (General Data Protection Regulation) and the PCI DSS (Payment Card Industry Data Security Standard).
Anyone who stumbled upon this information would have everything they need to commit fraud.
Moreover, the information was left publicly available online for up to seven years, and although there is no evidence that the data was misused, you can’t rule out the possibility that it was found by a malicious actor.
Ray Walsh, a digital privacy expert at ProPrivacy, told the Independent: “Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk.
“The data that was left exposed could easily be used by cybercriminals to launch secondary phishing attacks, or to commit fraud or identity theft in the future.”
Website Planet is advising anyone who thinks they might be affected to contact Prestige Software to determine what steps are being taken to protect their data.
Jose Hernández, a product manager at Prestige Software, said: “Since we became aware of the incident, we have been working with our technical teams in order to assess the situation, adopt corrective measures and ensure that this is not given in the future.”
He went on assure customers that the data “was made publicly visible for a very limited time” and that Prestige Software hadn’t detected any unauthorised access other than from Website Planet.
“In conclusion, we have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects,” he said.
This report is a little unsatisfactory – appreciate the precise circumstances and actual public breach is unclear, but surely it would be helpful to highlight the travel industry (and other?) clients that rely on this database so that organisations can make their own changes. Is there a public announcement you can provide a link to please
Hi Andrew — as you note, the full scale of the breach isn’t yet known. Prestige Software is used by most prominent online booking agencies, so any organisation who uses its services (and their customers) should be wary.