Arrival times, price paid, and contact details – over 24 million records with sensitive data were left passwordless online, putting hotel customers at risk.
The Cybernews research team discovered an unprotected Elasticsearch server and Kibana interface that leaked sensitive data of an enormous amount of people. The leaked dataset contained nearly 25 million records of hotels’ customer data.
What kind of data was leaked?
- Names
- Emails
- Phone numbers
- Date of birth
- Country code
- Language code
- Information about hotel visits
- Detailed stay information, including arrival time, nights booked, price paid, and number of guests
- Loyalty points
- Property IDs
It was not possible to determine exactly which company was responsible for the data leak. Still, there are strong indicators that the leaked dataset could belong to Honotel Group, a French hospitality investment and management firm.
Over the years, the Group has been a key player in the hospitality sector in France and Europe, running hospitality brands and 135 hotels across eight European countries. Its asset valuation is €1.2 billion.
The leaked data specifically mentions "SITE HONOTEL." Booking platforms like Booking.com are integrated, indicating that the leaked database could be part of Honotel’s guest and booking management system.
Cybernews contacted the group for clarification about the incident but has not received a response. Since the disclosure was sent, access to the database has been secured.
Leaked data puts hotel guests at risk
The exposed data puts hotel customers’ privacy and security at risk. Personally identifiable information (PII), along with booking data and exact travel information could be a treasure trove for threat actors.
For example, attackers could craft targeted phishing attacks and further exploit them for fraud and identity theft, which can have serious consequences, such as affecting financial accounts.
Leaving customer data open risks legal action and reputational consequences for the company. Data protection laws, such as the European General Data Protection Regulation (GDPR), require companies to report personal data breaches within 72 hours.
GDPR imposes fines for not implementing best security practices to protect PII. Violations can result in fines of 2% to 4% of a company’s total global annual revenue.
To avoid leaking sensitive data in the future, our researchers advise the company to:
- Secure storage with proper access controls and ensure that it is password-protected
- Notify the affected clients so they can take precautionary measures.
- Conduct a thorough security audit to identify and rectify any other potential vulnerabilities
- Implement regular security monitoring and incident response protocols
- Educate employees about data security best practices to prevent future breaches
- Leak discovered: October 4th, 2024
- Initial disclosure: October 5th, 2024
- Leak closed: October 7th, 2024
Your email address will not be published. Required fields are markedmarked