ADVERTISEMENT

Taiwan visitors exposed in massive hotel booking data leak

Blockchain technology solutions company OwlTing has inadvertently exposed 765,000 users' sensitive data by leaving open access to its AWS storage (S3). The spill mostly affected hotel guests in Taiwan.

OwlTing research

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Oct 15, 2024 Updated: 8 December 2025 2 min read

What data was exposed?

  • Full Names
  • Phone numbers and some email addresses
  • Hotel booking details, such as dates for orders, check-ins and check-outs, room numbers and types, amounts paid and outstanding, currency, and the reservation service used for booking.
owltings-leak
ADVERTISEMENT

The data may be used by attackers

Treat Amazon S3 buckets with care

  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Use AWS Key Management Service (KMS) to manage encryption keys securely.
  • Implement SSL/TLS for data in transit to ensure secure communication.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.

Disclosure timeline

  • July 29th, 2024: Leak discovered.
  • August 2nd, 2024: Initial disclosure email sent, and multiple follow-up emails followed.
  • September 13th: CERT in Taiwan informed.
  • September 19th: Access to the data was closed.
ADVERTISEMENT