Skip to main content

Web hosting specialist exposes massive data flaw in popular hotel management platform

(Image credit: Shutterstock) (Image credit: Image Credit: Pixabay)
Audio player loading…

A huge security vulnerability affecting a popular hotel reservation platform has been exposing sensitive information relating to hundreds of thousands of people for bookings dating back several years, it has been revealed. The security flaw concerns a misconfigured AWS S3 bucket that stores data including names, email addresses, credit card numbers and a host of other personally identifiable information.  

Spanish technology firm Prestige Software has provided hotels with access to its Cloud Hospitality management platform for a number of years now, offering a service that automates online availability across numerous booking sites. 

However, a security team at Website Planet recently discovered that over 10 million individual log files, dating back to 2013, were being stored using the solution without security protocols in place.

Based on the payment information that has been exposed in this particular leak, it appears that Prestige Software has failed to comply with the Payment Card Industry Data Security Standard. This could result in the firm having their ability to process payment information revoked.

Unsecured data

It’s not easy to state exactly how many individuals would have had data exposed as a result of the security mishap, with some reservations likely to be for group bookings while some would have been cancelled before payment information was taken. Nevertheless, the sheer volume of data exposed identifies Cloud Hospitality as a popular solution, one that is used by some of the biggest names in the online hospitality space, including Expedia, Hotels.com and Booking.com.

As the data was unsecured, it is also not possible to tell whether sensitive information has been accessed. While there is no evidence of fraudulent activity resulting from the exposure yet, cybercriminals could choose to sit on the data before committing criminal acts.

After being notified of the vulnerability, AWS moved to secure the S3 bucket the following day. Still, any ill-gotten information could be used to attempt malicious financial transactions, phishing scams or the injection of malware tools so, as always, it’s important that online users remain vigilant against potential threats.  

Via Website Planet