Data breach potentially exposes details of millions of booking.com and Expedia customers

Millions of hotel customers’ details could have potentially been exposed, after a software company was found to have improperly stored sensitive data.

The breach was uncovered by Website Planet, which found that Prestige Software, a company responsible for a hotel reservation system used by booking.com and Expedia, had been storing years’ worth of credit card data from hotel guests and travel agents without any protection in place.

The error put millions of customers at risk from fraud and online attacks.

Extremely sensitive data from as far back as 2013 was being incorrectly stored, with details including credit card and CVV numbers, full names, addresses and ID numbers of guests and comprehensive details about customers’ reservations all unprotected.

According to Website Planet, Prestige Software was storing data from its Cloud Hospitality system on a “misconfigured Amazon Web Services (AWS) S3 bucket” that was open to attack.

More than 10 million individual log files were found to be susceptible.

Other companies that use Cloud Hospitality and whose customers may have been at risk include Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees and Sabre.

In leaving customers’ credit card details exposed and vulnerable to attack, Prestige Software has breached the Payment Card Industry Data Security Standard, claims Website Planet.

“The number of consumers that have been affected by this enormous data leak is almost beyond comprehension,” said Ray Walsh, digital privacy expert at ProPrivacy.

“Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk.

“The data that was left exposed could easily be used by cybercriminals to launch secondary phishing attacks, or to commit fraud or identity theft in the future.”

There is no evidence that cybercriminals found the data breach before the investigations team at Website Planet.

However, it is advising customers of any of the affected platforms to contact the company directly to determine what steps are being taken to protect their data.

If details had been accessed by hackers, customers could be at risk of phishing and malware attacks, as well as scams.

“Most data breaches are never discovered or reported by the companies responsible,” said Website Planet. “So, we decided to do the work and find the vulnerabilities putting people at risk.

“We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.

“By reporting these leaks, make the internet safer for everyone.”

Jose Hernández, product manager at Prestige Software, told The Independent: “Since we became aware of the incident, we have been working with our technical teams in order to assess the situation, adopt corrective measures and ensure that this is not given in the future.

“In this context, and according to the information our technical department has provided, the incident did not imply a non-authorized entry into our systems and/or an export of data. Rather than this, part of such data was made publicly visible for a very limited time without having been detected any actual access and use of the data beyond the one executed by Website Planet (which in any case was very limited and without having implied any use of the data beyond the drafting of the report).

“Apart from this, note that we have informed our clients, keeping them updated on the incident as well as on its main features.

“In conclusion, we have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects. We are still working on this and will update you should any relevant development be given.”  

An Expedia Group spokesperson told The Independent: “We are aware of the report related to a data security incident that Prestige Software/Cloud Hospitality may have experienced. This was not a compromise of Expedia Group’s systems. As such, we are directing any requests for information to Prestige Software/Cloud Hospitality.” 

A booking.com spokesperson said: “There has been no data breach of booking.com’s platform connected to the disclosures Prestige Software / Cloud Hospitality has made regarding a breach of its system. As such, we are encouraging requests for information directly to Prestige Software / Cloud Hospitality.”