A cloud misconfiguration affecting users of a popular reservation platform threatens travelers with identity theft, scams, credit-card fraud and vacation-stealing.
A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.
Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket. Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said.
“The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks,” according to the firm, in a recent notice on the issue. “The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”
The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more.
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more.
“Every website and booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. “These websites are not responsible for any data exposed as a result.”
Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail and extort them.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage people to click on malicious links, download malware or provide valuable private data.
As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped, researchers noted.
“The international travel and hospitality industries have been devastated by the coronavirus crisis, with many companies struggling to survive, and millions of people out of work,” researchers said. “By exposing so much data and putting so many people at risk in such a delicate time, Prestige Software could face a PR disaster due to this breach.”
Researchers contacted AWS directly, and the S3 bucket was secured the following day. Prestige, they said, confirmed that it owned the data. Threatpost has reached out to Prestige for a comment on the incident.
This is the latest in the line of large cloud misconfigurations. Pharma giant and COVID-19 vaccine hopeful Pfizer in October was found to have leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket. The exposed data includes phone-call transcripts and personally-identifiable information (PII) related to prescriptions.
Also in October, Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, was found to have leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite.
Among other incidents this fall, an estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server. And, a misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating and e-commerce sites was found leaking PII and details such as romantic preferences. Also, the Wales arm of the U.K.’s National Health Service announced that PII for Welsh residents who had tested positive for COVID-19 was exposed via a public cloud upload.
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.