Web hosting specialist exposes massive data flaw in popular hotel management platform

(Image credit: Shutterstock) (Image credit: Image Credit: Pixabay)

A huge security vulnerability affecting a popular hotel reservation platform has been exposing sensitive information relating to hundreds of thousands of people for bookings dating back several years, it has been revealed. The security flaw concerns a misconfigured AWS S3 bucket that stores data including names, email addresses, credit card numbers and a host of other personally identifiable information.  

Spanish technology firm Prestige Software has provided hotels with access to its Cloud Hospitality management platform for a number of years now, offering a service that automates online availability across numerous booking sites. 

However, a security team at Website Planet recently discovered that over 10 million individual log files, dating back to 2013, were being stored using the solution without security protocols in place.

Based on the payment information that has been exposed in this particular leak, it appears that Prestige Software has failed to comply with the Payment Card Industry Data Security Standard. This could result in the firm having their ability to process payment information revoked.

Unsecured data

It’s not easy to state exactly how many individuals would have had data exposed as a result of the security mishap, with some reservations likely to be for group bookings while some would have been cancelled before payment information was taken. Nevertheless, the sheer volume of data exposed identifies Cloud Hospitality as a popular solution, one that is used by some of the biggest names in the online hospitality space, including Expedia, Hotels.com and Booking.com.

As the data was unsecured, it is also not possible to tell whether sensitive information has been accessed. While there is no evidence of fraudulent activity resulting from the exposure yet, cybercriminals could choose to sit on the data before committing criminal acts.

After being notified of the vulnerability, AWS moved to secure the S3 bucket the following day. Still, any ill-gotten information could be used to attempt malicious financial transactions, phishing scams or the injection of malware tools so, as always, it’s important that online users remain vigilant against potential threats.  

Via Website Planet

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.