A hotel booking platform used by Hotels.com, Booking.com and Expedia has exposed the personal information of over 10 million hotel guests and holidaymakers, leaving highly sensitive data unprotected for the past seven years.
The issue has been revealed by online hosting firm Website Planet, which claims Spanish company Prestige Software exposed the data on a misconfigured storage hub on Amazon Web Services, called an “Amazon S3”.
Prestige sells a channel management platform called Cloud Hospitality that allows hotels to automate their availability on online booking websites, has allegedly been was storing the unprotected data going back to 2013.
As a result, it is claimed that Prestige Software has exposed over 10 million individual log files in total. Each of these records exposed sensitive and personally identifiable information, including names, email addresses, national ID numbers, phone numbers, reservation information, and credit card details, including CVV and expiry date.
Website Planet reports that the file contained over 180,000 records from August 2020 alone, despite global hotel bookings being at an all-time low for this period.
However, it is difficult to say how many people were affected due to the amount of data exposed. The report notes the actual number of people exposed could be much higher than the number of reservations logged, as many of the logs contained data for numerous people on one booking.
Website Planet said the leak was plugged a day after it reported the incident to Amazon Web Services, adding that Prestige confirmed it was the owner of the data and the party responsible for the leak.
The travel sector many have been hit hard by Covid-19 but it has also been fingered for poor data security practices.
According to an investigation carried out in June by Which? into 98 travel firms, including major airlines, tour operators and hotel chains, many of the world’s biggest travel brands were found to have been leaving millions of customers open to data theft through serious security vulnerabilities on their websites.
Marriott International and British Airways, which have recently been fined a total of £28.5m by the UK Information Comissioner’s Office for lax data security, as well as easyJet which is currently under investigation for a breach which was exposed in May this year, were among the top five companies with the most risks identified.
At the time, Which? Travel editor Rory Boland said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.
“The Government must also allow for opt-out collective redress when data breaches occur – so that companies that play fast and loose with people’s data can be held to account.”
Marriott hammers down GDPR fine from £99m to £18m
Will they never learn? Top travel websites ‘full of holes’
Law firm pounces on EasyJet breach with £18bn claim
EasyJet rocked as data breach hits 9 million customers
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m