More than 10 million hotel guests worldwide were affected by a data leak stemming from a misconfigured Amazon S3 bucket used by Prestige Software’s Cloud Hospitality.

Prestige Software is based in Spain and sells a channel manager called Cloud Hospitality, which allows hotels to integrate their reservation systems with online booking websites like Booking.com and Expedia.

According to security researchers at Website Planet who discovered the data breach, the leaked info dates back as far as 2013 and was stored without any protections in place. The exposed data includes full names, email addresses, national ID numbers, and phone numbers of hotel guests, card number, cardholder’s name, CVV, and expiration date, payment details such as total cost of hotel reservations, as well as reservation details (reservation number, dates of a stay, the price paid per night, any additional requests made by guests, number of people, guest names, and more).

The report says that the unprotected AWS bucket contained over 10 million individual log files - more than 24.4 GB worth of data. Over 180,000 records from August 2020 alone were found in the bucket. The S3 bucket contained data that appeared to originate from many well-known sources listed as Cloud Hospitality’s customers, including Booking.com, Hotels.com, Expedia, Amadeus, Agoda, Hotelbeds, Sabre and Omnibees, among others.

It is not clear for how long the data was leaking, or if cybercriminals discovered the exposed database and made use of it for their purposes. Considering the vast amount of data exposed, the researchers said they contacted Amazon directly regarding the issue and the S3 bucket was secured the following day.