- ‣ Trend Micro Attacks on Cryptomining Docker
- ‣ Amazon Launches for CloudFront Security Savings Bundle
- ‣ Google's cloud business lost over $ 5.5 billion last year
- ‣ Microsoft Azure Functions Vulnerable to Docker Escape Bug
- ‣ Pinecone, a serverless vector database for machine learning, leaves stealth with $10M funding
- ‣ Researchers detect new malware targeting Kubernetes clusters to mine Monero
- ‣ GitLab Changes its Pricing Plan; Drops Starter Tier
- ‣ Microsoft Security Business Surpasses $10 Billion in Revenue
- ‣ Researchers uncover a 10-year old vulnerability in Linux
- ‣ IBM Introduces New Cloud Pricing
- ‣ AWS to offer free eight-week training
- ‣ IBM acquires cloud consultancy firm - Taos Mountain
- ‣ Driftctl: A Tool to detect Infrastructure Drifts
- ‣ New Work From Home Expansion From OpsRamp Network.
S3: Millions of hotel reservations exposed in massive data breach
Nov. 16, 2020, 9:09 p.m.
In a high severity data breach totaling 10,000,000+ files, Prestige Software, a hotel reservation platform based in Spain, exposed the banking details of over a million customers. This company provides automated online booking services to customers looking to reserve hotels for their next vacation or work trip.
The customer data exposed include:
- PII data: Names, phone numbers, email IDs, and ID numbers.
- Credit card details: Account number, CVV number, expiration date, card holder’s name, and cost of hotel reservations.
- Reservation details: Dates of stay, number of guests, names of all guests, contact information, and more.
The company, Prestige Software, was storing all their customer and reservation data on an AWS (Amazon Web Services) S3 bucket.
S3, or Simple Storage System, is an object storage technology provided by AWS for the purpose of storing classified and sensitive data.
Now, certain compliance and standards need to be maintained when using an S3 bucket to store data.
Such regulatory compliance allows companies to store the data securely and build solid layers of security against data breaches. An important part of the same is respecting PCI DSS.
Why did this data breach occur?
Based on the scale of personal identification information data exposed, experts believe that the breach occurred due to a misconfigured AWS S3 bucket with respect to poorly maintained PCI DSS, or Payment Card Industry Data Security Standard. PCI DSS is a crucial information security standard that protects the data of branded credit card holders and allows them to make safe and secure transactions on online portals.
According to websiteplanet.com, Prestige Software was not following this standard, which resulted in the ability to accept and process credit card statements to become subdued. The resulting data breach effortlessly sourced all sensitive information leading to millions of customers exposed on the Internet. The effects of this data breach will be felt by the company directly in terms of negative press coverage, loss of business, and legal action. They will also have to face heavy fines due to GDPR and Data Privacy Violations.
This data breach doesn’t just affect customers and the company itself but also exposes its clients, including big names such as Expedia, Booking.com, Agoda, Sabre, Omnibees, and more. What’s more concerning is that while investigations were ongoing regarding the data breach, new customer records were still being accepted, recorded, and uploaded on the platform.