Unprotected AWS S3 Bucket of Hotel Reservation System Contained 10 Million+ Files Containing Guests’ PII

Another day, another cloud misconfiguration. This time, more than 10 million files have been exposed that contained the personal information and credit card data of well over 10 million hotel guests. The exposed AWS S3 bucket was discovered by security researchers at Website Planet, who linked the data to the Spanish developer Prestige Software.

Prestige Software is the developer of ‘Cloud Hospitality’, a software solution used by many hotels for integrating their booking systems into websites such as Booking.com, Hotels.com, and Expedia. In total, 24.4 GB of log files were exposed and could be accessed by anyone who knew where to look.

The files contained information typically submitted when reservations are made, such as names, email addresses, phone numbers, national ID numbers, details of the reservation including notes submitted when bookings were made, and credit card information (cardholder names, card numbers, expiry dates, CVV codes). Website Planet says the credit card details of hundreds of thousands of guests were included in the files and many of the files contained the information of multiple guests on the same booking, which means the 10 million+ log files could contain the data of well in excess of 10 million individuals. The exposed files date back to 2013.

At the time of discovery, the S3 bucket was still live and in use. The researchers pointed out that in August 2020 alone there were 180,000 log files. Website Planet contacted AWS directly about the exposed S3 bucket and it was secured within 24 hours.

The researchers note that the hotel booking websites that are integrated with Cloud Hospitality are in no way responsible for the exposed data, nor the individual hotels that use the software. The fault lies with Prestige Software for failing to secure the S3 bucket.

A breach of this nature has severe implications for Prestige Software, which could face financial penalties from regulators, including data protection authorities in the European Union. The data breach experienced by Marriott Hotels has recently resulted in an £18.4 million GDPR penalty, which was reduced from a proposed financial penalty of almost £100 million.

Security researchers are constantly searching for exposed S3 buckets, but so are cybercriminals. It is unclear if the data were downloaded by anyone prior to discovery by the researchers. The researchers say they have not found any evidence of data theft, but the possibility that data were stolen could not be ruled out.

The breach could have serious implications for hotel guests whose data were exposed. If data were stolen, guests would be at risk of financial fraud, identity theft, phishing attacks, and other scams. For instance, an attacker would know enough information about an individual’s stay in a particular hotel to conduct a wide range of scams to obtain credit card details or even blackmail guests.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news