Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place.
Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.
No evidence of third party access
At this time, it’s not known how long the trove of data was left unsecured or if any third parties accessed it. If the data was found by a cybercriminal, the party could steal identities, carry out phishing scams, or even hijack a reservation.
“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” said researcher Mark Holden. “So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Website Planet said the firm quickly fixed the vulnerability after being alerted to the issue.
Holden said that due to the sheer number of hotel and travel websites involved in the breach, it’s “impossible to help anyone already exposed if somebody found the data before us.” Clients of Prestige Software include Booking.com, Expedia, Hotels.com, and many others.
“If you’re a customer of any of the websites listed in this report and are concerned about how this leak might impact you, contact the company directly to determine what steps it’s taking to protect your data,” Website Planet said.
Share your comments