FastBooking, a Paris-based firm offering booking services for over 1,000 hotels across 100 countries, suffered a major breach when unnamed hackers exploited a vulnerability in an application hosted on the firm's server to install a malicious software and subsequently steal personal and financial details of customers.
FastBooking informed affected hotels about the breach via email but is yet to provide details about the same in its website. According to details accessed by Bleeping Computer, as many as 380 of the affected hotels are located in Japan alone, suggesting that the true count of affected hotels could exceed one thousand.
Server vulnerability exploited
In its email, FastBooking told affected hotels that the breach took place on June 14th after a hacker exploited a vulnerability in an application hosted on one of its servers to install a malicious software. The software was then used by the hacker to steal personal and financial information of people who checked in to the affected hotels.
Details accessed by the hacker include personal information of guests such as first and last names, addresses, email addresses, nationality, and booking details as well as financial details such as card numbers, expiration dates, and names of cardholders. The breach was discovered by FastBooking on June 19th and the vulnerability was fixed on the same day.
All the affected hotels are expected to notify their customers about the breach along with information on how to ensure their financial information is not used by hackers to commit fraud. According to Bleeping Computer, Prince Hotels & Resorts in Japan has already notified 124,963 guests who stayed at 82 of its hotels about the breach.
Commenting on the breach suffered by FastBooking, Adam Brown, manager of security solutions at Synopsys, said that the firm could have prevented the breach had it complied with Article 32 of the GDPR which mandates businesses to put in place procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of data processing.
"This breach could have involved a well-known vulnerability which could have been detected through a vulnerability assessment. If it’s identified that known vulnerable components were involved that could have been discovered and prevented through a penetration test, for instance, FastBooking can expect to have the law read back to them.
"It also appears that the data wasn’t encrypted, or if it was, the keys weren’t kept separately. This situation could have potentially been avoided by having a deliberate and effective software security initiative driven by the firm’s leadership. However, not enough details are available as of yet to speculate on what went wrong and how it could have been handled differently," he added.
Repeated and successful targeting of hotel chains
This isn't the first time that hackers have successfully exploited vulnerabilities in enterprise servers that store personal and financial information of hotel guests. In October last year, Hyatt Corp. announced that between March and July, hackers accessed details of payment cards which were either swiped or manually entered at the front desk of 41 properties across 11 countries, including China, Brazil, the United States, India, Japan, Malaysia and several other countries.
Between September 29 and December 29 of 2016, hackers were also able to successfully hack InterContinental Hotels Group PLC's payment servers in the United States and Puerto Rico and steal a large number of payment card details of customers.
The breach of IHG's payment servers was discovered not by the group's cyber security teams but by the group's card providers, thereby revealing a a serious gap between capabilities of hackers and those of such hotels in protecting and securing customer data.