Privacy in a countryside getaway is no longer a guarantee. Escapada Rural, a local Spanish short-term rental service akin to Airbnb, left large amounts of private customer data exposed for half a year. Hackers got hold of the data and posted it on BreachForums, an illicit marketplace.
On January 8th, the Cybernews research team discovered an internet-facing storage repository belonging to Escapada Rural. It contained a database of the personal information of 2.9 million customers, including their names, email addresses, genders, dates of birth, and phone numbers.
Exported from the company’s database, the personal data was stored in a publicly accessible CSV file, and the latest entries were from November 7th, 2022.
Unfortunately, Cybernews researchers were not the first to discover the exposed Amazon Web Services Cloud Storage Bucket.
Further investigation revealed that a malicious actor had already posted the dataset on the illicit marketplace BreachForums. The post author goes by the alias ‘louhunter.’
“The forum post dates back to July 2023. This indicates that Escapada Rural failed to identify and secure the leak for over six months. There is an increased likelihood that the leaked information has been, is currently being, and will continue to be abused by malicious actors,” the Cybernews research team warns.
Other database backup files were also exposed. However, they contained less sensitive information, such as property listings from booking.com and other sites. Anyone with a little technical knowledge could also access photos for property listings due to no authentication method being required.
“This leak could be very tempting to rental scammers who target their victims posing as property managers or agents, offering phantom rentals or similar scams. They can deploy large databases to commit fraud, such as upfront payment scams, on a large scale,” our researchers said.
Customers should also beware of other usual exploits, such as using data for phishing, spam, doxxing, or even financial fraud.
Escapada Rural, founded in 2007, is owned by HomeToGo, an operator of multiple websites for booking and renting holiday apartments. The parent company claims to offer a “SaaS-enabled marketplace with the world’s largest selection of vacation rentals.”
HomeToGo-owned brands include Agriturismo.it, Amivac, Casamundo, CaseVacanza.it, Wimdu, and others.
HomeToGo is a publicly traded company on the Frankfurt Stock Exchange, with a market capitalization of around 267 million euros.
Cybernews reached out to both companies but didn’t receive a response before publishing this story. After the disclosure, the leak was sealed.
Companies risk millions in fines for data breaches
European companies must follow the General Data Protection Regulation (GDPR) when servicing customers and processing their data.
In its privacy policy, Escapada Rural stated that it stores personal information following GDPR’s article 32, which requires encrypting or pseudonymizing the data. The company should also have processes in place to regularly test and assess the security of the data.
“The company seemingly did not take these steps, as it leaked user information in plain text and failed to identify the leak for a long time. Such failures to secure and monitor for security issues when storing private information may result in fines of up to 20 million euros or four percent of the company’s total global turnover of the preceding fiscal year, according to GDPR,” Cybernews researchers warn.
This leak could have been prevented by employing proper access control policies, enabling proper authentication on the cloud storage bucket, encrypting sensitive information, and incorporating other security safeguards.
Your email address will not be published. Required fields are markedmarked