Hospitality Cloud Platform Data Breach Caused by Misconfigured S3 Bucket

According to a new report from Website Planet, there has been a massive data breach involving   a third-party hotel hospitality platform run by Prestige Software, which is based in Spain. It appears that many hotels use Prestige’s platform to automate hotel room availability on several popular travel booking websites. The breach involves an estimated 10 million files (24.4 GB worth of data) related to hotel guests. Included in the breached data was personally identifiable information, such as credit card details, names, email addresses, national identity numbers, and much more, all of which can be misused in the wrong hands.

Website Planet determined that the breach was caused by none other than a misconfigured AWS S3 bucket. This is not surprising, as misconfigured S3 buckets are a leading cause of data breaches.

This breach, like so many others, will have negative consequences for Prestige, their customers, and their customers’ customers. For Prestige, they will have to pay fines and invest in follow-up investigations and compliance reporting because they have breached, at a minimum, PCI DSS and GDPR. As for Prestige’s customers (the travel booking websites), while they are not responsible for the data that was breached, they should ensure that all their partners are fully secure and compliant. As for the affected consumers, they will be vulnerable to identity theft. 

Any business needs to take cloud security and compliance seriously. DivvyCloud by Rapid7 can help by providing full visibility into what’s going on in your cloud environment and automated remediation to fix cloud misconfigurations. Take a look at our demo center to see how we can detect and quarantine an open S3 bucket within seconds!