Taiwan visitors exposed in massive hotel booking data leak


Blockchain technology solutions company OwlTing has inadvertently exposed 765,000 users' sensitive data by leaving open access to its AWS storage (S3). The spill mostly affected hotel guests in Taiwan.

On July 29th, the Cybernews research team, during a routine investigation using OSINT methods, discovered a misconfigured Amazon S3 bucket storing a massive amount of files. S3 buckets are simple cloud storage containers on Amazon Web Services (AWS), similar to file folders for storing files.

Over 168,000 CSV and XLSX documents in the bucket contained the personally identifiable information (PII) of over 765,000 customers.

ADVERTISEMENT

The leak was attributed to OwlTing, a Taiwanese company that serves global travel, food safety, hospitality, media, and other e-commerce sectors and offers well-recognized blockchain solutions.

The company confirmed the incident and took appropriate actions to close the leak. However, it somewhat downplayed the severity, saying, “The incident did not involve any sensitive data.”

“The leakage of personal information such as full names, phone numbers, and hotel reservation details can lead to various forms of identity theft and fraud, posing serious risks to the affected individuals,” Cybernews researchers warn.

What data was exposed?

The exposed data appears to be related to hotel management services and mostly contained booking data from popular platforms, such as Booking, Expedia, and others.

The leaked data includes the following:

  • Full Names
  • Phone numbers and some email addresses
  • Hotel booking details, such as dates for orders, check-ins and check-outs, room numbers and types, amounts paid and outstanding, currency, and the reservation service used for booking.
owltings-leak
ADVERTISEMENT

The leak did not contain many email addresses – only around 3,000. Mostly phone numbers were collected. The total number of various records in the leak was almost nine million.

Over 92% of the exposed phone numbers belong to users from Taiwan. The compromised dataset also included thousands of users from Japan, Hong Kong, Singapore, Malaysia, Thailand, and South Korea. Almost no American users were identified. However, the leak contained hundreds of users from most European countries.

The data may be used by attackers

Cybernews researchers warn that the exposed data would be very valuable to cybercriminals who specialize in spearphishing, voice phishing (vishing), SMS phishing (Smishing) and other social engineering attacks. Also the data may be combined with other leaks in the past to attempt financial fraud or account compromise attacks.

“Attackers can use details from past hotel reservations to create highly convincing phishing attempts. For example, an SMS or email referencing a previous stay at a specific hotel, asking for feedback or offering a discount for future bookings, could trick individuals into clicking malicious links or providing further personal information,” the researchers warn.

Fraudsters can use phone numbers to call or text users, pretending to be someone from the hotel or a related service, asking for sensitive information such as credit card numbers or passwords. Also, a long list of phone numbers can be exploited for illicit robocalling.

Doxxing is another serious threat, as cybercriminals are known to search the internet for sensitive materials that may be used to further their financial or personal agendas.

Cybercriminals automate their attempts using AI and other tools to launch attacks at scale.

The Cybernews research team cannot verify if the data was accessed by any threat actors or other third parties. We reached out to OwlTing for additional comments, however, we did not receive a response before publishing.

ADVERTISEMENT

Treat Amazon S3 buckets with care

Organizations that rely on cloud resources to manage sensitive information should implement robust security measures for their S3 buckets.

The Cybernews researchers recommend the following mitigation steps in case Amazon S3 buckets are exposed:

  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Enable server-side encryption to protect data at rest.
  • Use AWS Key Management Service (KMS) to manage encryption keys securely.
  • Implement SSL/TLS for data in transit to ensure secure communication.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.

OwlTing, founded in Taiwan in 2010, specializes in blockchain technology solutions for many sectors. The company has a global presence, including offices in the United States, Japan, Malaysia, Thailand, and Singapore.

Disclosure timeline

  • July 29th, 2024: Leak discovered.
  • August 2nd, 2024: Initial disclosure email sent, and multiple follow-up emails followed.
  • September 13th: CERT in Taiwan informed.
  • September 19th: Access to the data was closed.

ADVERTISEMENT