Experts Insight On Hotel Booking Firm Leaks Info From Millions Of Guests

On Friday, research was published that a hotel reservation platform has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people. Based in Madrid and Barcelona, Prestige Software sells a channel management platform called Cloud Hospitality to hotels that automates their availability on online booking websites like Expedia and Booking.com. The company was reportedly storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks.

Subscribe
Notify of
guest
5 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
November 11, 2020 10:47 am

This is yet another Amazon S3 bucket incident, which proves again that site owners are clearly not aware of the scale of this vulnerability. Time after time there are incidents where data is lost or compromised, and when the data is not even encrypted we are seeing potentially catastrophic outcomes.

S3 is one of the oldest services in AWS and the good news is that it always defaults to secure and private. However, the bad news is that AWS allows people to use it and notoriously people weaken or even bypass security – sometimes without even being aware. Cloud misconfiguration can easily occur, so it needs to be double-checked by the people in charge of it. If you are concerned, log into the console and click on S3 and look for the ‘Public’ tag to see if any data is vulnerable to theft. AWS has taken measures to better educate its customers about proper S3 bucket configurations but the best protection is a two-way street where users take on some of the responsibility themselves too.

Last edited 2 years ago by Jake Moore
Anurag Kahol
Anurag Kahol , CTO
InfoSec Expert
November 10, 2020 10:39 am

Every year, hotel and booking platforms collect sensitive consumer data and store the personally identifiable information of millions of guests. To mitigate the risks of future data breaches and protect sensitive data, hospitality organisations and other companies need to have full visibility and control over their data.

By leveraging multifaceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, and manage the sharing of data with external parties, and prevent data leakage, organisations can ensure the privacy and security of customer information.

Last edited 2 years ago by Anurag Kahol
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
November 10, 2020 10:37 am

This is not the first, nor the last time, that we will see an organisation unintentionally leak data on its users. As can be expected, there will likely be legal consequences that will cost the organisation a substantial sum.

Nevertheless, it will be the users who will face the most damaging repercussions. They will no doubt see attackers attempt to infiltrate other accounts where passwords may have been reused, as well as phishing attacks sent to exposed email addresses. Financial data such as credit card numbers may be employed to conduct unauthorised purchases or for other authorisations. Identity theft is another scenario in which such exposed data may abused as well.

We can\’t be certain that bad actors have not already gained access to this data, but there are a few things that potentially affected users can do to proactively lower their risk and in turn, improve their security moving forward. First, users should change their password on the site as well as on any other online service where it may have been reused. It is worth employing a password manager if you are overwhelmed with the number of services used and the regulatory demands for strong passwords. Second, be wary of any email requesting personal data such as passwords, usernames, social security numbers or financial data. Service providers would never request such data over email or even on the phone. If ever in doubt, call your service provider or visit their web page directly and login through the site. It is critical that you do not open attachments or click on links in emails. Finally, talk with your bank proactively – let them know that you have used a service that has leaked your data and check your bank statements regularly for suspicious activity.

As for the issue of S3 buckets, I would say the following. Cloud technology is helping organisations in many ways to be better, faster, and more advanced in their operations. However, processes to maintain this technology need to also be regarded as a priority. Introducing technologies in production needs to be paired with thorough checks to ensure that the data is properly safeguarded. While these checks may initially be time-consuming, they are necessary to prevent issues later down the line.

Last edited 2 years ago by Boris Cipot
Chloé Messdaghi
Chloé Messdaghi , VP of Strategy
InfoSec Expert
November 10, 2020 10:35 am

When it comes to reservations sites like Booking.com and Hotels.com, they all need to be better secured. The consumers that use those sites release so much personal information all at once – CC information, passport numbers, billing info, addresses, full names, additional guest names, etc. These sites are already known to not necessarily take proper care of people’s data and, in addition, they now have this third-party situation, which is Prestige Software. This breach pulled data all the way back to 2013, all really sensitive data, extremely sensitive data – full names, passports, phones, IDs, CC details, travel dates, etc.

Many hotels don’t have IT security personnel on their team, which would be the team that would be tasked with determining the safety of any third-party platform. Keeping your own ecosystem safe is one thing – investigating the third parties that your organization works with is a whole other necessary task.

This is a reminder for all the hotel companies out there to put security first. They all carry huge amounts of very sensitive data, and breaches like this one put the hotels themselves at risk – their reputations with their customers. And at the end of the day, the security and privacy of customers should always be top priority.

Last edited 2 years ago by Chloé Messdaghi
Warren Poschman
Warren Poschman , Senior Solutions Architect
InfoSec Expert
November 10, 2020 10:33 am

The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular. Historical log data was dumped to the S3 bucket and contained large amounts of PII and PCI related data. While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organizations are playing with live data when they should instead be leveraging a data-centric security model to allow data to be protected as it is acquired and traverses through the organization regardless of where it is stored or accessed. Data-centric protection using technologies like tokenization allows the organization to use the protected data for day-to-day operations, analytics and data sharing – in this case it could have meant avoiding a breach entirely because the S3 bucket would have only contained de-identified, secure data.

Last edited 2 years ago by Warren Poschman
5
0
Would love your thoughts, please comment.x
()
x