Misconfigured Amazon Web Services data bucket exposed Expedia, Booking Group, Amadeus and Hotelbeds files
Hacktivist probe finds Spanish software firm put travel brands’ customer data at risk
Consumer data belonging to millions of customer of leading travel brands and B2B suppliers was improperly secured by a third party channel manager software firm.
Expedia, booking.com, Amadeus and Hotelbeds booking data was accessed by researchers investigating Spanish technology partner Prestige Software.
Madrid and Barcelona-based Prestige Software, which provides channel manager software to hotels, was subject to a white hat ‘hacktivist’ probe reported by specialist developer blog Website Planet.
Mark Holden, a contributor to Website Planet, revealed the problem centred on a misconfigured Amazon Web Services S3 data bucket that should block public access.
However, he was able to access 10 million booking data files dating back to 2013 including sensitive personal and financial data that could have been used by cyber criminals.
Hoden said: “The company was storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks.”
The AWS misconfiguration was quickly fixed after it was highlighted by Website Planet, which reported that Prestige Software, whose channel manager software is called Cloud Hospitality, had confirmed it owned the data.
Travel websites that partner with Prestige Software, including many of the biggest names in the sector are not responsible for any of the data that was potentially exposed.
Under data protection GDPR rules in Europe data processors are legally obliged to report any breaches as soon as they are discovered.
It is also subject to Payment Card Industry Data Security Standard (PCI DSS) regulations which if breached could lead to suspension of the firm’s ability to process payments.
Amadeus confirmed it has disabled all connections with Prestige Software until it is satisfied there is no longer any threat of data being exposed.
The firm told Travolution: “On November 9th 2020 the Amadeus Hospitality Security Operations Center received information that a widely used platform, Prestige Software’s “Cloud Hospitality”, has exposed 10 million files related to guests at various hotels around the world.
“Amadeus took immediate action to investigate the matter, these investigations indicated that no TravelClick or Amadeus systems have been compromised and that this is an exposure of files processed on and under the responsibility of the Prestige platform.
The statement added: “To provide services to Amadeus customers when Amadeus has been requested to do so, connections can be made through an API connection or equivalent, between the Amadeus system and other third party systems, including the Prestige platform.
“Due to the exposure of information from the Prestige platform, Amadeus has disabled all connections between Amadeus and the Prestige platform.
“These connections will remain disabled until Amadeus has sufficient guarantees that the issue on the Prestige platform has been resolved or Amadeus is instructed by an impacted Amadeus hotel customer to re-enable the connectivity.
“If you believe you have customers that have booked hotels that use the Prestige platform, please contact the hotel or Prestige directly for further information.”
Expedia said in a statement: “We are aware of the report related to a data security incident that Prestige Software/Cloud Hospitality may have experienced. This was not a compromise of Expedia Group’s systems.
“As such, we are directing any requests for information to Prestige Software/Cloud Hospitality.”
A Hotelbeds spokesman said: “We are investigating this urgently. However, in the meantime we can confirm that Hotelbeds does not share customer credit card data with third party partners and furthermore, does not send Virtual Credit card payments via Prestige: our payments are tokenised, meaning we store no customer credit card data in our data chain.
“Additionally, we can confirm that the volume of bookings Hotelbeds shares with Prestige Software is both very low and, most importantly, is limited to the minimum needed to secure a booking (name, surname, date, etc).”
Booking.com issued the following statement: “There has been no data breach of Booking.com’s platform connected to the disclosures Prestige Software/Cloud Hospitality has made regarding a breach of its system. As such, we are encouraging requests for information directly to Prestige Software / Cloud Hospitality.”
Travolution has also contacted Prestige Software for comment and is awaiting a response.