A huge security vulnerability affecting a popular hotel reservation platform has been exposing sensitive information relating to hundreds of thousands of people for bookings dating back several years, it has been revealed. The security flaw concerns a misconfigured AWS (opens in new tab) S3 bucket that stores data including names, email addresses, credit card numbers and a host of other personally identifiable information.
Spanish technology firm Prestige Software has provided hotels with access to its Cloud Hospitality management platform for a number of years now, offering a service that automates online availability across numerous booking sites.
However, a security team at Website Planet recently discovered that over 10 million individual log files, dating back to 2013, were being stored using the solution without security protocols in place.
- The best identity theft prevention service (opens in new tab) available today
- See our roundup of the best VPN (opens in new tab) solutions
- Also, check out our list of the best customer research tools (opens in new tab)
Based on the payment information that has been exposed in this particular leak, it appears that Prestige Software has failed to comply with the Payment Card Industry Data Security Standard. This could result in the firm having their ability to process payment information revoked.
It’s not easy to state exactly how many individuals would have had data exposed as a result of the security mishap, with some reservations likely to be for group bookings while some would have been cancelled before payment information was taken. Nevertheless, the sheer volume of data exposed identifies Cloud Hospitality as a popular solution, one that is used by some of the biggest names in the online hospitality space, including Expedia, Hotels.com and Booking.com.
As the data was unsecured, it is also not possible to tell whether sensitive information has been accessed. While there is no evidence of fraudulent activity resulting from the exposure yet, cybercriminals could choose to sit on the data before committing criminal acts.
After being notified of the vulnerability, AWS moved to secure the S3 bucket the following day. Still, any ill-gotten information could be used to attempt malicious financial transactions, phishing scams or the injection of malware tools so, as always, it’s important that online users remain vigilant against potential threats.
- Here are the best antivirus software (opens in new tab) solutions for your business
Via Website Planet (opens in new tab)