In what might be one of the most expansive data breaches in recent memory, private customer-data of several popular websites, including Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre, and more, are believed to have been leaked by a Spanish software firm called Prestige Software, which operates a channel management platform called Cloud Hospitality that automates room availability on top booking sites.
The leak was originally identified by researchers at Website Planet after spotting a misconfigured AWS S3 bucket that could be accessed by the public without any security authentication. Upon further analysis, the researchers found that the data belonged to the Barcelona-based software firm that was storing credit card data of travel agents and hotel customers without any security measures, thereby exposing personal and financial data of customers dating as far back as 2013.
The S3 bucket reportedly contained more than 10 million (1 crore) files weighing more than 2.44GB. The exposed data not only included the full names, email IDs and phone numbers of hotel guests, but also credit card numbers with CVV and expiration dates, potentially allowing anybody to make unauthorized transactions. The researchers say that they haven’t analyzed all exposed files, but “every website and booking platform connected to Cloud Hospitality was probably affected”.
As per the report, the exposed data belongs to people from around the world, including citizens of EU nations, which might invite hefty penalties from the local regulators based on GDPR regulations. It’s not immediately clear as to whether the database was accessed by third-parties with malicious intent, but given that cybercriminals have been scanning for exposed databases, it won’t be a major surprise if some of it has already found its way to dark web marketplaces.