Serviceteam IT Security News

The cache of data sitting wide open on a server included full names, national ID numbers and credit card data

A wide range of sensitive information of millions of hotel guests has been discovered sitting on an unsecured server and accessible for anyone to view. The data was stored on a misconfigured Amazon Web Services (AWS) S3 bucket belonging to Prestige Software, a Spain-based company that sells hotel reservation management software.

The leak, reported by Website Planet, originated from the Spanish company’s Cloud Hospitality channel management software, which is used by hotels to automate the status of their vacancies on various booking websites. Since the platform is used to connect with the reservation websites, some of the data came from popular online travel agencies, such as Expedia,, and Agoda, although they cannot be faulted for the data exposure.

RELATED READING: Five tips for keeping your database secure

The data comprised over 10 million log files, including information going as far back as 2013. The treasure trove consisted of a range of Personally Identifiable Information (PII), such as guests’ full names, national ID numbers, email addresses, phone numbers, as well as details such as the reservation number, dates, number of guests and their names and the price paid. Moreover, the S3 bucket also contained valuable financial data such as credit card numbers, the cardholder’s name, credit card verification codes (CVV), and expiration date.

Website Planet also confirmed the veracity of the data by checking that a sample of the leaked email addresses belonged to real people. While currently there is no evidence of any threat actors gaining access to the data, researchers can’t guarantee that the data wasn’t accessed before they discovered the misconfigured server. The researchers also contacted AWS and the bucket has since been secured.

The amount and variety of the records exposed would give hackers plenty of material for all manner of malicious activity. The hotel guests could fall victim to identity theftphishing and other social engineering attacks, and even financial fraud, due to the leaked credit card data. However, black hats don’t have to abuse the data themselves; instead, they could sell it off on the dark web in bulk.

RELATED READING: Details of 142 million MGM hotel guests selling for US$2,900

Businesses that run afoul of data protection laws, notably the European Union’s General Data Protection Regulation (GDPR), may face serious consequences for privacy and security lapses.

Source: HERE

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!