A sloppy lack of security by a hotel reservation platform has left highly sensitive information about millions of people worldwide exposed.
Security experts working for Website Planet uncovered a misconfigured AWS S3 bucket containing over 10 million files, containing information about hotel guests dating as far back as 2013.
The finger of blame is pointing at Spanish firm Prestige Software, which sells a platform called Cloud Hospitality that helps hotels manage online booking sites like Expedia, Booking.com, Hotels.com, and Amadeus.
Sign up to our newsletterSecurity news, advice, and tips.
It’s important to recognise that it was not the hotel booking websites themselves which were responsible for the data breach, or the hotels.
Instead, it was Prestige’s Cloud Hospitality software that was at fault. The software is supposed to ensure that a hotel room reserved on, say, Amadeus, is correctly marked as unavailable on Booking.com and other sites.
The software is not supposed to then leave the sensitive data, unencrypted and accessible to anyone on the internet – no password required. All because the cloud-based storage was misconfigured.
The 24.4 GB of exposed information left on the Amazon S3 bucket included guests’ full names, email addresses, phone numbers, ID numbers, and reservation numbers. In addition, credit card details (including card numbers, cardholder names, CVVs, and expiration dates).
In the wrong hands that data could easily be exploited by identity thieves and scammers.
Having come across such a significant data breach, Website Planet chose to contact Amazon’s AWS team directly t ..
Support the originator by clicking the read the rest link below.
