Travel Booking websites face massive data breach, payments credentials exposed

Prestige Software, a company based in Spain, experienced a large-scale data leak in early  November. The company provides software solutions to numerous travel websites.

Many prominent hotel booking websites use Prestige’s Cloud Hospitality tool. Therefore, their data is available in the leaky AWS S3 storage bucket. Among the affected websites are Expedia, Amadeus, Booking.com, Hotels.com, Sabres, and many more

According to the research conducted by Website Planet, the data of millions of hotel guests worldwide was exposed. Actually, more than 24GB of customer data stored in the form of a Misconfigured AWS S3 bucket was discovered. The data goes back to 2013 and contains credit card credentials of hundreds of thousands of people. 

Specifically, the leaked data included customers’ full names, email addresses, national ID numbers, phone numbers, credit card number, cardholder’s name, CVV, expiration date, along with payment and booking details. As a result, Prestige was able to store credit card data, payments credentials, and booking details on its database. Unfortunately, the database did not have cybersecurity protection.

According to the data garnered by Website Planet, millions of individuals could be affected. The leaked data is huge, making it is difficult to gauge the number of people impacted. 

Due to the leakage of credit card details, Prestige Software has breached the Payment Card Industry Data Security Standard, known as PCI DSS. Regrettably, this can cause the company to lose the mandate to accept and process credit card payments. Worse, since Prestige is based in the EU, is it answerable to the trade bloc’s stringent GDPR guidelines. 

Website Planet reported that the stolen data can be used in credit card fraud/identity theft, email phishing scams, malware attacks. It can also be used to steal someone’s hotel one’s hotel reservation.