Hotel booking software firm exposed over 10m guest data records

Personal information of millions of people was exposed recently after Prestige Software, a software development company based in Spain, misconfigured an AWS S3 bucket that stored highly sensitive data associated with millions of hotel guests worldwide.

Prestige Software offers the popular Cloud Hospitality software, a channel management platform that allows hotels to automate their availability on online booking websites like Expedia and Booking.com. The software is connected to several of the world's largest hotel booking websites, including Hotels.com, Agoda, Expedia, Booking.com, Amadeus, Hotelbeds, and Omnibees.

Recently, security researchers at Website Planet discovered a misconfigured AWS S3 bucket that contained information obtained by the Cloud Hospitality software and was continually being updated with fresh data obtained by the platform.

Upon detailed analysis, the researchers found that the misconfigured database stored highly sensitive data dating back to 2013, and the exposed data included full names, email addresses, national ID numbers, and phone numbers of hotel guests, their credit card numbers, CVV codes, and expiration dates, cost of hotel reservations, and reservation details such as price per night, dates of stays, number of guests, and guest names.

In all, the misconfigured AWS S3 bucket contained over ten million data records and was over 24.4GB in size at the time of its discovery. As many as 180,000 data records were associated with hotel bookings made worldwide in August 2020 alone.

After discovering the massive S3 bucket owned by Prestige Software, the researchers reached out to AWS directly to ensure the bucket was secured before it could be discovered by malicious parties. However, considering the database was unprotected since 2013 makes it highly probable that cyber criminals may have accessed it using known tools and techniques.

"Prestige Software exposed the private data and credit card details of millions of people worldwide, spanning almost a decade. The international travel and hospitality industries have been devastated by the Coronavirus crisis, with many companies struggling to survive, and millions of people out of work. By exposing so much data and putting so many people at risk in such a delicate time, Prestige Software could face a PR disaster due to this breach," said researcher Mark Holden in a blog post.

"Cybercriminals could use contact information exposed in the breach to target hotel guests with scams, phishing campaigns, and malware attacks. With the PII data from the leak, it would be easy to establish trust and encourage people to click on links embedded with malware or provide valuable private data.

"Cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels for maximum reward on their schemes. Finally, if any hotel stays revealed embarrassing or compromising info about a person’s life, used to blackmail and extort them," he added.

Commenting on the massive exposure of personal and financial data of hotel guests worldwide, Warren Poschman, senior solution architect at comforte AG, told TEISS that The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular.

"While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organisations are playing with live data when they should instead be leveraging a data-centric security model to allow data to be protected as it is acquired and traverses through the organisation regardless of where it is stored or accessed.

"Data-centric protection using technologies like tokenization allows the organization to use the protected data for day-to-day operations, analytics and data sharing – in this case it could have meant avoiding a breach entirely because the S3 bucket would have only contained de-identified, secure data," he added.

Earlier this month, Marriott International was fined £18.4 million by the ICO for failing to prevent hackers from stealing 339 million guest records worldwide between 2014 and 2018 after breaching the group's Starwood reservation system.

The data breach impacted personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.

Copyright Lyonsdown Limited 2020