Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Data breach potentially exposes details of millions of booking.com and Expedia customers

‘Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk,’ says digital privacy expert

Helen Coffey
Thursday 12 November 2020 16:27 GMT
Comments
Credit card details could have been exposed
Credit card details could have been exposed (Getty Images/iStockphoto)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Millions of hotel customers’ details could have potentially been exposed, after a software company was found to have improperly stored sensitive data.

The breach was uncovered by Website Planet, which found that Prestige Software, a company responsible for a hotel reservation system used by booking.com and Expedia, had been storing years’ worth of credit card data from hotel guests and travel agents without any protection in place.

The error put millions of customers at risk from fraud and online attacks.

Extremely sensitive data from as far back as 2013 was being incorrectly stored, with details including credit card and CVV numbers, full names, addresses and ID numbers of guests and comprehensive details about customers’ reservations all unprotected.

According to Website Planet, Prestige Software was storing data from its Cloud Hospitality system on a “misconfigured Amazon Web Services (AWS) S3 bucket” that was open to attack.

More than 10 million individual log files were found to be susceptible.

Other companies that use Cloud Hospitality and whose customers may have been at risk include Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees and Sabre.

In leaving customers’ credit card details exposed and vulnerable to attack, Prestige Software has breached the Payment Card Industry Data Security Standard, claims Website Planet.

“The number of consumers that have been affected by this enormous data leak is almost beyond comprehension,” said Ray Walsh, digital privacy expert at ProPrivacy.

“Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk.

“The data that was left exposed could easily be used by cybercriminals to launch secondary phishing attacks, or to commit fraud or identity theft in the future.”

There is no evidence that cybercriminals found the data breach before the investigations team at Website Planet.

However, it is advising customers of any of the affected platforms to contact the company directly to determine what steps are being taken to protect their data.

If details had been accessed by hackers, customers could be at risk of phishing and malware attacks, as well as scams.

“Most data breaches are never discovered or reported by the companies responsible,” said Website Planet. “So, we decided to do the work and find the vulnerabilities putting people at risk.

“We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.

“By reporting these leaks, make the internet safer for everyone.”

British Airways fined £20m over data breach

Jose Hernández, product manager at Prestige Software, told The Independent: “Since we became aware of the incident, we have been working with our technical teams in order to assess the situation, adopt corrective measures and ensure that this is not given in the future.

“In this context, and according to the information our technical department has provided, the incident did not imply a non-authorized entry into our systems and/or an export of data. Rather than this, part of such data was made publicly visible for a very limited time without having been detected any actual access and use of the data beyond the one executed by Website Planet (which in any case was very limited and without having implied any use of the data beyond the drafting of the report).

“Apart from this, note that we have informed our clients, keeping them updated on the incident as well as on its main features.

“In conclusion, we have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects. We are still working on this and will update you should any relevant development be given.”  

An Expedia Group spokesperson told The Independent: “We are aware of the report related to a data security incident that Prestige Software/Cloud Hospitality may have experienced. This was not a compromise of Expedia Group’s systems. As such, we are directing any requests for information to Prestige Software/Cloud Hospitality.” 

A booking.com spokesperson said: “There has been no data breach of booking.com’s platform connected to the disclosures Prestige Software / Cloud Hospitality has made regarding a breach of its system. As such, we are encouraging requests for information directly to Prestige Software / Cloud Hospitality.”  

 

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in