Industry News

Hotel Reservation Platform Leaks 7 Years’ Worth of Customer Records, Exposes Millions to Fraud and Extortion

Prestige Software, which supplies services to thousands of booking websites, has reportedly exposed the private data and credit card details of millions of people worldwide, spanning several years.

Prestige Software facilitates booking services through its Cloud Hospitality platform for the likes of Booking.com, Expedia, Hotels.com, and many others. The security team at Website Planet recently revealed that the hotel reservation platform has been exposing customer data for almost seven years through a misconfigured Amazon Web Services (AWS) S3 bucket.

Per the team’s findings, the exposed data includes:

  • PII data: Full names, email addresses, national ID numbers, and phone numbers of hotel guests
  • Credit card details: card number, cardholder’s name, CVV, and expiration date
  • Payment details: total cost of hotel reservations
  • Reservation details: Reservation number, dates of a stay, the price paid per night, any additional requests made by guests, number of people, guest names, and much more.

The team found over 10 million individual log files dating back to 2013, with over 180,000 records from August 2020 alone.

The exposed S3 bucket was still live and in use at the time of discovery, with new records being uploaded within a few hours of our investigation, the team said.

The leak has potentially exposed millions to fraud, extortion and even black mail. The team can’t guarantee that someone else hadn’t accessed the S3 bucket before them.

“So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security, and financial wellbeing of those exposed,” the researchers said.

This treasure trove of personal financial data makes for the perfect ‘fullz’ to fetch a handsome dollar on the dark web.

Prestige Software is facing numerous legal hurdles on counts like the Payment Card Industry Data Security Standard (PCI DSS) and the EU’s General Data Protection Regulation (GDPR).

Website Planet’s security guys are listing close to a dozen affected booking sites, meaning people in every geography are affected – again, if the leak turns up on the dark web. If that turns out to be the case, malicious actors could use the information to put together convincing phishing campaigns, fraudulent scams, and even extort some customers, “if any hotel stays revealed embarrassing or compromising info about a person’s life,” in the team’s words.

If you know to have done business with Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees or Sabre in the past seven years, keep a close eye on your bank statements.

Also, be on the lookout for any suspicious emails or SMS messages hitting your inbox. Don’t reply to messages asking for your user name, password or banking data. If you have reason to believe you’re a victim, contact Prestige Software to learn how they are responding to this incident.

Prestige Software confirmed to Website Planet that it owned the exposed data, but has yet to acknowledge the leak publicly.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.