10 November 2020

Prestige reservation platform leaks data on millions hotel guests worldwide


Prestige reservation platform leaks data on millions hotel guests worldwide

More than 10 million hotel guests worldwide were affected by a data leak stemming from a misconfigured Amazon S3 bucket used by Prestige Software’s Cloud Hospitality.

Prestige Software is based in Spain and sells a channel manager called Cloud Hospitality, which allows hotels to integrate their reservation systems with online booking websites like Booking.com and Expedia.

According to security researchers at Website Planet who discovered the data breach, the leaked info dates back as far as 2013 and was stored without any protections in place. The exposed data includes full names, email addresses, national ID numbers, and phone numbers of hotel guests, card number, cardholder’s name, CVV, and expiration date, payment details such as total cost of hotel reservations, as well as reservation details (reservation number, dates of a stay, the price paid per night, any additional requests made by guests, number of people, guest names, and more).

The report says that the unprotected AWS bucket contained over 10 million individual log files - more than 24.4 GB worth of data. Over 180,000 records from August 2020 alone were found in the bucket. The S3 bucket contained data that appeared to originate from many well-known sources listed as Cloud Hospitality’s customers, including Booking.com, Hotels.com, Expedia, Amadeus, Agoda, Hotelbeds, Sabre and Omnibees, among others.

It is not clear for how long the data was leaking, or if cybercriminals discovered the exposed database and made use of it for their purposes. Considering the vast amount of data exposed, the researchers said they contacted Amazon directly regarding the issue and the S3 bucket was secured the following day.

Back to the list

Latest Posts

Two Romanians arrested for running malware services

Two Romanians arrested for running malware services

The duo allegedly operated the CyberSeal and Dataprotector crypting services, as well as the CyberScan service, which allowed their customers to test their malware against antivirus solutions.
23 November 2020
Manchester United discloses a ‘sophisticated’ cyber attack

Manchester United discloses a ‘sophisticated’ cyber attack

United officials said that are not aware of any breach of personal data associated with club's fans and customers.
23 November 2020
Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

The list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world.
23 November 2020