A software company called Prestige Software in Barcelona, Spain, has been found to have exposed sensitive, private and financial data of millions of customers around the world,media reported. In particular, customers from Booking.com, Expedia, Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees, Sabre and others were accidental victims of the data breach.
The exposed database was originally discovered by Researchers at Website Planet, and a misconfigured AWS S3 bucket owned by Prestige Software was opened to the public without any security authentication. The researchers analyzed the database and concluded that it contained 24.4GB worth of data, totalling more than 10 million files.
It’s worth noting that Prestige Software provides the hotel with a channel management platform called Cloud Hospitality to handle and automate room availability on top booking sites. In this case, the software company stored credit card data of travel agents and hotel customers without any security measures. As a result, the client’s personal and financial data was exposed online as early as 2013.
According to a report compiled by Website Planet researcher Mark Holden, the exposed data belongs to hotel guests and includes the following:
The e-mail address
Hotel reservation number
Date and duration of stay
The credit card number, including the card owner’s name, CVV code, and the card’s expiration date.
We didn’t review all the files exposed in S3 bucket, so this isn’t a complete list. Every website and booking platform connected to a cloud hotel may be affected. These sites are not responsible for any data exposed as a result, Holden said in the report.
Since Prestige Software is headquartered in Europe and the data exposed belongs to people around the world, including citizens of European citizens, the company should be prepared to accept huge fines and penalties from the GDPR.
As for the affected customers, it is unclear whether your data was maliciously accessed by a third party. However, as we have seen recently, cybercriminals have been scanning exposed databases, stealing data and selling it on the dark web, or leaking data on hacker forums for free download.
A case was reported a few months ago in which the personal data and phone numbers of 42 million Iranians were exposed to misconfigured servers and eventually sold on the dark web and hacking forums within days.
In another case, Hackread.com reported that in December 2019, a misconfigured database exposed the personal information of 267 million Facebook users. In April 2020, the same database was sold on a hacker forum for $600.