Prestige Software, which markets a booking platform used by Booking, Expedia and Hotels.com, exposed nearly 10 million customer data due to the misconfiguration of an Amazon Web Services S3 bucket. This includes names, credit card numbers, identification numbers and hotel reservation details.
The Spanish company Prestige Software has leaked nearly 10 million customer data stored in an Amazon Web Services S3 bucket. Due to misconfiguration, names, credit card numbers, identification numbers and hotel reservation details have been exposed on the Internet. The breach was discovered by Website Planet and has since been closed.
Platform used by Expedia, Booking ..
Prestige Software markets a platform called “Cloud Hospitality” which allows hotels to automate their availability on online reservation sites. This platform is used in particular by Booking, Expedia, Hotels.com, Agoda, Amadeus, Hotelbeds, Omnibees… “Lots of other sites” are concerned but Website Planet has not been able to locate them all.
The first data dates back to 2013. But Website Planet notes that the AWS S3 bucket was still active in August 2020, the month in which it recorded 180,000 records.
At this time, it is impossible to know exactly how long the data has been freely accessible, or if someone has stolen it. If cybercriminals get their hands on them, they could be used to commit credit card fraud or conduct phishing campaigns.
A risk of a fine in the event of a violation of the GDPR
Being located in Spain, Software Prestige is subject to the obligations of the General Data Protection Regulation (GDPR). The Agencia Española de Protección de Datos, the equivalent of the Cnil in Spain, may therefore impose a fine of up to 4% of the company’s worldwide annual turnover if it considers that the data has been poorly secured.
While it processes sensitive data, the hotel sector is regularly confronted with more or less significant leaks. In France, Gekko Group, a subsidiary of AccorHotels specializing in B2B hotel reservations, was at the origin of a personal data leak of 140,000 travelers in 2019. Recently, Marriott was fined 20 million euros by the British CNIL for not having sufficiently protected its system.