S3: Millions of hotel reservations exposed in massive data breach
In a high severity data breach totaling 10,000,000+ files, Prestige Software, a hotel reservation platform based in Spain, exposed the banking details of over a million customers. This company provides automated online booking services to customers looking to reserve hotels for their next vacation or work trip.
The customer data exposed include:
- PII data: Names, phone numbers, email IDs, and ID numbers.
- Credit card details: Account number, CVV number, expiration date, card holder’s name, and cost of hotel reservations.
- Reservation details: Dates of stay, number of guests, names of all guests, contact information, and more.
The company, Prestige Software, was storing all their customer and reservation data on an AWS (Amazon Web Services) S3 bucket.
S3, or Simple Storage System, is an object storage technology provided by AWS for the purpose of storing classified and sensitive data.
Now, certain compliance and standards need to be maintained when using an S3 bucket to store data.
Such regulatory compliance allows companies to store the data securely and build solid layers of security against data breaches. An important part of the same is respecting PCI DSS.
Why did this data breach occur?
Based on the scale of personal identification information data exposed, experts believe that the breach occurred due to a misconfigured AWS S3 bucket with respect to poorly maintained PCI DSS, or Payment Card Industry Data Security Standard. PCI DSS is a crucial information security standard that protects the data of branded credit card holders and allows them to make safe and secure transactions on online portals.
According to websiteplanet.com, Prestige Software was not following this standard, which resulted in the ability to accept and process credit card statements to become subdued. The resulting data breach effortlessly sourced all sensitive information leading to millions of customers exposed on the Internet. The effects of this data breach will be felt by the company directly in terms of negative press coverage, loss of business, and legal action. They will also have to face heavy fines due to GDPR and Data Privacy Violations.
This data breach doesn’t just affect customers and the company itself but also exposes its clients, including big names such as Expedia, Booking.com, Agoda, Sabre, Omnibees, and more. What’s more concerning is that while investigations were ongoing regarding the data breach, new customer records were still being accepted, recorded, and uploaded on the platform.