Hotel reservation platform leaks data on millions of guests

Prestige Software's data leak dates back as far as 2013

Hotel reservation platform Prestige Software has exposed the personal data of millions of hotel guests worldwide, after misconfiguring an AWS S3 bucket.

That's according to a new report by Website Planet, which claims that the leaked information dates back as far as 2013 and includes details like customer names, ID numbers and credit card information.

Prestige Software is based in Spain and sells a channel manager called Cloud Hospitality, which allows hotels to integrate their reservation systems with online booking websites like Booking.com and Expedia.

According to Website Planet, Prestige Software was storing data on hotel guests and travel agents for many years without any protections in place.

Mark Holden, Website Planet researcher, said that the misconfigured AWS bucket contained over 10 million individual log files - more than 24.4 GB worth of data. Over 180,000 records from August 2020 alone were found in the bucket.

The information exposed included personally identifiable information (PII) such as guest names, ID numbers, addresses, phone number, and ID numbers.

For thousands of guests, payment card details were also leaked, including their names, payment card number and card expiration details.

Holden said that more than 10 million people could be affected in the data breach, as some logs files representing a single booking contained data for multiple individuals.

The S3 bucket appeared to contain data originating from many renowned sources, including Booking.com, Hotels.com, Expedia, Amadeus, Agoda, Hotelbeds, Sabre and Omnibees, among others.

It's not yet clear for how long the data was left unsecured on the internet, or if a cybercrime group discovered the exposed database online and copied it to their own systems.

Website Planet says their experts notified AWS directly so that it could address the leak itself, without any delay. AWS confirmed it had plugged the security hole the next day.

Rich Vibert, CEO and Co-founder at Metomic, commented: "The news that Prestige Software has been exposing the sensitive data of millions of hotel guests since 2013 is the latest in a long line of disappointing data practices by large-scale organisations.

"It is simply unacceptable that the company opened its customers up to identity theft, fraud and phishing attacks. But it's also frustrating that this could have been easily and affordably avoided by embracing a privacy-first culture. For example, introducing technology to detect and tokenise the personal identifiable information they exposed so it would have been unreadable.

"Companies need to stop thinking of privacy as a legal and contractual check-box. Instead, they must see it as a means for eradicating data breaches so they can maintain customer trust and have the power of data, without the risk."