Data relating to more than 10 million hotel reservations has been found online in the latest case of cloud storage misconfiguration.

Discovered by researchers at Website Planet, which wrote about it Nov. 6, the database was found exposed on a misconfigured Amazon Web Services Inc. S3 bucket belonging to Prestige Software S.L., a Spanish company that specializes in hotel bookings. Prestige offers a channel management platform called Cloud Hospitality that hotels use to integrate their reservation systems with online booking websites such as Expedia, Agoda, Hotels.com and Booking.com.

The exposed database totaled 24.4 gigabytes and included full names, email addresses, national ID numbers and phone numbers of guests along with reservation number, dates of stay, the price paid per night and any additional requests made. The database also included credit card numbers, cardholder’s name, CVV number and expiration date for hundreds of thousands of people. The data reaches as far back as 2013, with 180,000 records in the database from August 2020 alone.

The researchers noted that it’s difficult to say how many people were affected because of the amount of data exposed and the types of data. For example, records often included information on numerous people on one reservation, while other records included cancellations and amendments.

“For these reasons, the actual number of people exposed could be much higher than the number of reservations logged,” the researchers noted.

The S3 bucket has since been taken offline. Prestige Software has yet to make a public statement on the report, but it may be forced to do so shortly given the world of legal hurt it’s likely to face.

That the credit card details were stored in full on the database means that Prestige has breached the Payment Card Industry Data Security Standard, a standard set by major credit card companies to reduce fraud by setting protocols on how companies hand credit card data. Noncompliance with PCI DSS or a breach can result in having the ability to process credit card payments stripped.

Since it’s based in Spain, Prestige is also subject to the European Union General Data Protection Regulation, which sets strict standards on how private data should be handled.

“The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular,” Warren Poschman, senior solutions architect with data security specialist comforte AG, told SiliconANGLE. “While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organizations are playing with live data when they should instead be leveraging a data-centric security model to allow data to be protected as it is acquired and traverses through the organization regardless of where it is stored or accessed.”

Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., noted that working with outside vendors poses a number of challenges, including making sure they are maintaining the same level of cybersecurity as one’s own organization requires.

“It is possible malicious actors had discovered this data earlier and simply not revealed it,” Nayyar added. “The data exposed includes financial and PII information that would be very useful to attackers. A behavioral analytics tool, or other configuration management tool, could have identified the configuration flaw and had it corrected long before it was discovered.”

Photo: Unique Hotels/Flickr