[BreachExchange] Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

[Destry Winant]

https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

A cloud misconfiguration affecting users of a popular reservation
platform threatens travelers with identity theft, scams, credit-card
fraud and vacation-stealing.

A widely used hotel reservation platform has exposed 10 million files
related to guests at various hotels around the world, thanks to a
misconfigured Amazon Web Services S3 bucket. The records include
sensitive data, including credit-card details.

Prestige Software’s “Cloud Hospitality” is used by hotels to integrate
their reservation systems with online booking websites like Expedia
and Booking.com.

The incident has affected 24.4 GB worth of data in total, according to
the security team at Website Planet, which uncovered the bucket. Many
of the records contain data for multiple hotel guests that were
grouped together on a single reservation; thus, the number of people
exposed is likely well over the 10 million, researchers said.

Some of the records go back to 2013, the team determined – but the
bucket was still “live” and in use when it was discovered this month.

“The company was storing years of credit-card data from hotel guests
and travel agents without any protection in place, putting millions of
people at risk of fraud and online attacks,” according to the firm, in
a recent notice on the issue. “The S3 bucket contained over 180,000
records from August 2020 alone. Many of them related to hotel
reservations being made on numerous websites, despite global hotel
bookings being at an all-time low for this period.”

The records contain a raft of information, Website Planet said,
including full names, email addresses, national ID numbers and phone
numbers of hotel guests; card numbers, cardholder names, CVVs and
expiration dates; and reservation details, such as the total cost of
hotel reservations, reservation number, dates of a stay, special
requests made by guests, number of people, guest names and more.

The exposure affects a wide number of platforms, with data related to
reservations made through Amadeus, Booking.com, Expedia, Hotels.com,
Hotelbeds, Omnibees, Sabre and more.

“Every website and booking platform connected to Cloud Hospitality was
probably affected,” according to Website Planet. “These websites are
not responsible for any data exposed as a result.”

Hotel guests affected could be the targets of a wide range of attacks,
from identity theft and phishing to someone hijacking their vacations,
researchers said. For instance, they pointed out that cybercriminals
could use details of hotel stays to create convincing scams and target
wealthy individuals who have stayed at expensive hotels. And if any
hotel stays revealed embarrassing or compromising info about a
person’s life, it could be used to blackmail and extort them.

“We can’t guarantee that somebody hasn’t already accessed the S3
bucket and stolen the data before we found it,” researchers said. “So
far, there is no evidence of this happening. However, if it did, there
would be enormous implications for the privacy, security and financial
wellbeing of those exposed.”

Other attack scenarios include credit-card fraud and longer scam
efforts where an attacker could use the details to establish trust,
and then ask encourage people to click on malicious links, download
malware or provide valuable private data.

As for Prestige, it’s subject to General Data Protection Regulation
and the Payment Card Industry Data Security Standard, known as PCI
DSS. GDPR violations can result in large fines. And non-compliance to
the PCI DSS may mean that Prestige’s ability to accept and process
credit-card payments will be stripped, researchers noted.

“The international travel and hospitality industries have been
devastated by the coronavirus crisis, with many companies struggling
to survive, and millions of people out of work,” researchers said. “By
exposing so much data and putting so many people at risk in such a
delicate time, Prestige Software could face a PR disaster due to this
breach.”

Researchers contacted AWS directly, and the S3 bucket was secured the
following day. Prestige, they said, confirmed that it owned the data.
Threatpost has reached out to Prestige for a comment on the incident.

This is the latest in the line of large cloud misconfigurations.
Pharma giant and COVID-19 vaccine hopeful Pfizer in October was found
to have leaked the private medical data of prescription-drug users in
the U.S. for months or even years, thanks to an unprotected Google
Cloud storage bucket. The exposed data includes phone-call transcripts
and personally-identifiable information (PII) related to
prescriptions.

Also in October, Broadvoice, a well-known VoIP provider that serves
small- and medium-sized businesses, was found to have leaked more than
350 million customer records related to the company’s “b-hive”
cloud-based communications suite.

Among other incidents this fall, an estimated 100,000 customers of
Razer, a purveyor of high-end gaming gear ranging from laptops to
apparel, had their private info exposed via a misconfigured
Elasticsearch server. And, a misconfigured, Mailfire-owned
Elasticsearch server impacting 70 dating and e-commerce sites was
found leaking PII and details such as romantic preferences. Also, the
Wales arm of the U.K.’s National Health Service announced that PII for
Welsh residents who had tested positive for COVID-19 was exposed via a
public cloud upload.

A too-large percentage of cloud databases containing highly sensitive
information are publicly available, an analysis in September found.
The study from Comparitch showed that 6 percent of all Google Cloud
buckets are misconfigured and left open to the public internet, for
anyone to access their contents.