Hotel booking firm exposes data on millions of guests2020-11-09 14:01 by Daniela
Prestige Software, a hotel reservation platform used by Hotels.com, Booking.com, and Expedia, left data belonging to "millions" of guests exposed on a misconfigured Amazon Web Services (AWS) S3 bucket. Each of the records exposed sensitive and personally identifiable information (PII), including names, email addresses, national ID numbers, phone numbers, reservation information, and credit card details, including CVV and expiration date.
The leak was originally identified by researchers at Website Planet after spotting a misconfigured AWS S3 bucket that could be accessed by the public without any security authentication. Upon further analysis, the researchers found that the data belonged to the Barcelona-based software firm that was storing credit card data of travel agents and hotel customers without any security measures, thereby exposing personal and financial data of customers dating as far back as 2013.
The exposed data appears to contain booking and sensitive information from many well-known online booking services, including:
It's not certain how long the data was left open, or if anyone took the data. Website Planet said the hole was closed a day after telling AWS about the exposure. Prestige confirmed that it owned the data.
Based on the payment information that has been exposed in this particular leak, it appears that Prestige Software has failed to comply with the Payment Card Industry Data Security Standard. This could result in the firm having their ability to process payment information revoked.
Read more at WebsitePlanet -here-