A widely used hotel reservation platform has exposed 10m files related to guests at various hotels worldwide, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.
A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud & vacation-stealing.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia & Booking.com.
The incident has affected 24.4Gb worth of data in total, according to the security team at Website Planet, which uncovered the bucket. Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10m, researchers outlined.
Some of the records go back to 2013, the team determined, but the bucket was still “live” & in use when it was discovered this month.
“The company was storing years of credit-card data from hotel guests & travel agents without any protection in place, putting millions of people at risk of fraud & online attacks,” according to the firm, in a recent notice on the issue.
“The S3 bucket contained over 180,000 records from Aug. 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”
The records contain a raft of information, Website Planet commented, including full names, email addresses, national ID numbers & phone numbers of hotel guests; card numbers, cardholder names, CVVs & expiration dates; & reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names & more.
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more.
“Every website & booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. “These websites are not responsible for any data exposed as a result.”
Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers suggested. For instance, they pointed out that cyber-criminals could use details of hotel stays to create convincing scams & target wealthy individuals who have stayed at expensive hotels.
If any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail & extort them.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket & stolen the data before we found it,” researchers commented. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security & financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud & longer scam efforts where an attacker could use the details to establish trust, & then ask encourage people to click on malicious links, download malware or provide valuable private data.
As for Prestige, it is subject to General Data Protection Regulation & the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations can result in large fines. Non-compliance to the PCI DSS may mean that Prestige’s ability to accept & process credit-card payments will be stripped, researchers noted.
“The international travel & hospitality industries have been devastated by the coronavirus crisis, with many companies struggling to survive, & millions of people out of work,” researchers stated. “By exposing so much data & putting so many people at risk in such a delicate time, Prestige Software could face a PR disaster due to this breach.”
Large Cloud Misconfigurations
Researchers contacted AWS directly, & the S3 bucket was secured the following day. Prestige, they suggested, confirmed that it owned the data.
This is the latest in the line of large cloud misconfigurations. Pharma giant & COVID-19 vaccine hopeful Pfizer in Oct. was found to have leaked the private medical data of prescription-drug users in the US for months or even years, thanks to an unprotected Google Cloud storage bucket.
The exposed data includes phone-call transcripts & personally identifiable information (PII) related to prescriptions.
Also in Oct., Broadvoice, a well-known VoIP provider that serves small- & medium-sized businesses, was found to have leaked more than 350m customer records related to the company’s “b-hive” cloud-based communications suite.
Among other incidents this Autumn, an estimated 100,000 customers of Razer, a supplier of high-end gaming gear ranging from laptops to clothes, had their private info exposed via a misconfigured Elasticsearch server.
A misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating & e-commerce sites was found leaking PII and details such as romantic preferences. Also, the Welsh arm of the National Health Service announced that PII for Welsh residents who had tested positive for COVID-19 was exposed via a public cloud upload.
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6% of all Google Cloud buckets are misconfigured & left open to the public internet, for anyone to access their contents.