Credit card data from millions of hotel bookings was freely accessible

More than ten million files of hotel booking details were visible on a misconfigured AWS S3 bucket. The data was managed by Prestige Software, a Spanish company that collaborates with, among others, Agoda, Booking.com and Expedia.

Website Planet’s security team discovered the data. According to the researchers, it concerns 24.4 GB of log files and contains data from hotel bookings worldwide. Both recent bookings and details of older bookings, up to 2013, were found.

The personal data was stored without any protection. This concerns credit card details, name and address details, passport numbers and e-mail addresses of hotel visitors. The details of hotel reservations, such as costs, number of nights and additional requests are also included.

The data breach is at Prestige Software, a Spanish company that offers a channel management platform to hotels under the name Cloud Hospitality. Hotels can use this to pass on the availability of their rooms to sites such as Agoda, Booking.com and Expedia. According to Website Planet, the data shows that this includes bookings made via those large platforms, but also many other platforms.

The researchers found the data freely accessible on an Amazon Web Services S3 bucket. It was configured incorrectly and therefore accessible. When the data breach was detected, the database was in use and new records were added. It is not known how long the data was accessible or whether it was discovered and downloaded by others.

Due to the sensitivity of the data, Website Planet says it has contacted Amazon directly. A day after the discovery, access to the S3 bucket would have been locked. Prestige Software has confirmed ownership of the data. The Spanish company has not released a statement, but is obliged under GDPR legislation to report a data breach to the privacy supervisor.

Example of data that was insightful