November 11, 2020

Prestige Software data breach exposes millions of hotel guest records

By Ellen Daniel

Prestige Software, the company behind hotel reservation software used by Expedia, booking.com, Hotels.com and other travel companies, has exposed millions of hotel guest records in a data breach.

The company’s Cloud Hospitality software had been storing guest data on an unsecured Amazon Web Services cloud database for seven years.

The data breach was discovered by Website Planet, which reported that the exposed information included full names, email addresses, national ID numbers, phone numbers, card numbers, cardholder’s name, CVV, and expiration date, as well as the details of the hotel reservation.

The data dates back to 2013 and contained over 180,000 records from August 2020 alone. Website Planet said it was “difficult to say how many people were affected”.

According to the company, this amounted to 10 million individual log files. Website Planet said that it “can’t guarantee that somebody hasn’t already accessed the S3 bucket”, but so far there is no evidence that this has happened. Website Planet contacted AWS and the S3 bucket was secured the following day.

When approached for comment Prestige Software told Verdict:

“Since we became aware of the incident, we have been working with our technical teams in order to assess the situation, adopt corrective measures and ensure that this is not given in the future.

“In this context, and according to the information our technical department has provided, the incident did not imply a non-authorized entry into our systems and/or an export of data. Rather than this, part of such data was made publicly visible for a very limited time without having been detected any actual access and use of the data beyond the one executed by Website Planet (which in any case was very limited and without having implied any use of the data beyond the drafting of the report.)

“Apart from this, note that we have informed our clients, keeping them updated on the incident as well as on its main features.

“In conclusion, we have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects. We are still working on this and will update you should any relevant development be given.”

Prestige Software leaves bucket public

AWS S3 buckets are a type of cloud-based data storage used by many organisations. Although S3 buckets are private by default they can be set to public by the owner, meaning they are freely available to access online without needing a password.

If malicious actors become aware of public buckets, they may be able to access a wealth of data, leaving victims more at risk of identity theft, phishing attacks and financial fraud.

Jake Moore, cybersecurity specialist at ESET, explained that unsecured S3 buckets are worryingly common:

“This is yet another Amazon S3 bucket incident, which proves again that site owners are clearly not aware of the scale of this vulnerability. Time after time there are incidents where data is lost or compromised, and when the data is not even encrypted we are seeing potentially catastrophic outcomes.

“S3 is one of the oldest services in AWS and the good news is that it always defaults to secure and private. However, the bad news is that AWS allows people to use it and notoriously people weaken or even bypass security – sometimes without even being aware. Cloud misconfiguration can easily occur, so it needs to be double-checked by the people in charge of it. If you are concerned, log into the console and click on S3 and look for the ‘Public’ tag to see if any data is vulnerable to theft. AWS has taken measures to better educate its customers about proper S3 bucket configurations but the best protection is a two-way street where users take on some of the responsibility themselves too.”


Read More: Exclusive: Data breach exposes 17,000 yachting industry professionals.