Millions of hotel guests worldwide have their private details exposed

Sloppy security settings mean another leaky cloud bucket.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Millions of hotel guests worldwide have their private details exposed

A sloppy lack of security by a hotel reservation platform has left highly sensitive information about millions of people worldwide exposed.

Security experts working for Website Planet uncovered a misconfigured AWS S3 bucket containing over 10 million files, containing information about hotel guests dating as far back as 2013.

The finger of blame is pointing at Spanish firm Prestige Software, which sells a platform called Cloud Hospitality that helps hotels manage online booking sites like Expedia, Booking.com, Hotels.com, and Amadeus.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s important to recognise that it was not the hotel booking websites themselves which were responsible for the data breach, or the hotels.

Instead, it was Prestige’s Cloud Hospitality software that was at fault. The software is supposed to ensure that a hotel room reserved on, say, Amadeus, is correctly marked as unavailable on Booking.com and other sites.

The software is not supposed to then leave the sensitive data, unencrypted and accessible to anyone on the internet – no password required. All because the cloud-based storage was misconfigured.

The 24.4 GB of exposed information left on the Amazon S3 bucket included guests’ full names, email addresses, phone numbers, ID numbers, and reservation numbers. In addition, credit card details (including card numbers, cardholder names, CVVs, and expiration dates).

Hotel data leak

In the wrong hands that data could easily be exploited by identity thieves and scammers.

Having come across such a significant data breach, Website Planet chose to contact Amazon’s AWS team directly to request that the misconfigured bucket be shut down, and confirmed that the information was no longer accessible the next day.

What isn’t known is quite how long the bucket had been left open by Prestige Software, and if any criminals did access the data or not.

However, seeing as security researchers keep stumbling across leaky cloud-storage buckets containing sensitive data it’s hard to believe that online criminals are not doing the same.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Millions of hotel guests worldwide have their private details exposed”

  1. Scott Fuller

    I stayed at Ramkota Hotel in Casper Wyoming for the 2017 eclipse. I made the reservations directly with them. Am I vulnerable?

  2. Other User

    Aren't obscure, non password links how most of the industry works for storage?

  3. Andrew Turner

    Whilst the hotel chains may delegate responsibility for security of their data they are still accountable under GDPR. Is this not tge same as all the educational establishments who outsourced their sdmin systems and then got hacked?

  4. Terry

    We all need to do a better job with this. Companies need to be held responsible for identity theft and pay all users effected. Going public, emailing all users etc. Of the breach and what to do if they were in fact affected by this.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.