Cloud Storage Misconfiguration Puts Millions of Worldwide Hotel Guests Data at Risk

Nov 30, 2020

Cloud Storage Misconfiguration Puts Millions of Worldwide Hotel Guests Data at Risk Image

Prestige Software’s “Cloud Hospitality,” used by hotels to integrate their reservation systems with online booking websites by the likes of Booking.com, Expedia, and Hotels.com, has been storing customers files unprotected for years, thanks to a misconfigured Amazon Web Services S3 bucket. Affected records, going back as far as 2013, include credit card information, national ID numbers, and reservation details. According to researchers, these leaks put well over 10 million customers at risk of fraud and online attacks.

The company (Prestige Software) was storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks. The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.

Website Planet

This is the latest in a line of large scale breaches due to cloud misconfigurations. In October, Pharma giant Pfizer leaked the medical data of prescription-drug users in the U.S. due to an unprotected Google Cloud storage bucket. Around the same time VoIP provider, Broadvoice, found a leak in their company’s “b-hive” cloud-based communications suite, exposing more than 350 million customer records. These are just some of the large-scale compromises we’ve become aware of, but there are likely more. A study from Comparitch has shown that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet for anyone to access their contents.

As one could expect, COVID-19 has exacerbated these misconfiguration issues. As more and more information is moved into the cloud, and employees are accessing and placing data into the cloud from beyond controlled networks, more entry points have opened. Cybercriminals are aware of this and are actively on the hunt for open databases.

“Little did we know back then, almost 6 months ago, that the outbreak of COVID-19 would occur, creating the perfect storm for cyberattackers to take advantage of an incredibly disruptive period. Businesses were forced to adopt solutions rapidly, potentially skipping usual protocols, and likely employee use of ‘shadow IT’ solutions. As more and more remote employees place vital data into the cloud, this creates more entry points that are vulnerable and open for cyberattackers to exploit.”

Ryan Trost, CTO and co-founder of ThreatQuotient

As is the case with most cyber threats, misconfiguration issues are avoidable and detectable. As cloud-hosted systems are increasingly relied upon, teams must be educated on practicing proper IT hygiene. IT teams should understand the full set of access control tools they have available to them and reduce risks further by adopting better processes to track configuration and inventory.

About Secuvant

Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.