A New Data Breach Could Have Affected Over 10 Million Hotel Clients Around the World

A popular hotel booking service has exposed the data of over 10 million hotel guests that visited locations all over the globe.

The incident was caused by a poorly configured AWS bucket. According to a report by security experts working with Website Planet who discovered the leaky Amazon server bucket, a whopping 24 gigabytes of data were affected. A lot of the records include the information of multiple guests who were sharing the same reservation, so the number of affected individuals is even higher than the total number of booking records.

Astonishingly, Web Planet reports that the records, which stretch back to 2013, contained years worth of credit card information, kept on the server "without any protection in place". To give a better idea of the scope and the huge number of people that could be affected by the incident, Web Planet stated that there were 180,000 database records from just August 2020, in a year when bookings are near an all-time low due to the Covid-19 pandemic.

The information contained in the leaky database goes well beyond credit card records and also includes customer names, e-mails, ID numbers according to country of origin and respective personal ID documents and phone numbers. The credit card information in the unsecured database includes the holder name, card number and CVV - essentially every single detail you need to use that card and pay for anything online.

Credit cards and personal information were exposed

The leaky database also contained data from a number of different popular booking portals, including Booking dot com, Hotels dot com and Expedia, among others. Chances are that every single booking and reservation service that uses Cloud Hospitality's services is affected. However, Website Planet made it clear that the individual sites using the shared cloud service are not to blame for the data exposure.

There is no evidence that someone has accessed the data before Web Planet discovered the poorly configured database, but if that was indeed the case, the security experts said there would be "enormous implications" for those affected.

The faulty database has been taken down immediately after Web Planet contacted Amazon Web Services directly to inform them about it.

November 12, 2020

Leave a Reply