Forget going to a hotel … especially since records go back to 2013 … were you effected? from blog The Technology blog and podcast
This is for the technology blog and podcast Commentary, articles, and podcasts
Forget going to a hotel … especially since records go back to 2013 … were you effected?
I’m not going to say that 10 million records is nothing, especially with the billions of records that have already been taken and potentially used already.
In an article written by Threatpost, we are learning that a processor that many chains of hotels used had a misconfiguration in their Amazon S3 bucket that exposed millions of records going all the way back to 2013.
The records, according to the article, include names, credit card numbers including CVV, reservation info, and potentially more.
What fraudsters and scammers can do according to the article can be anything from credit card fraud, blackmail, and potentially much more.
The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests;
card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates
of a stay, special requests made by guests, number of people, guest names and more.
Continuing the article says:
The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees,
Sabre and more.
“Every website and booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. “These websites are not responsible
for any data exposed as a result.”
Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers
said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who
have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail
and extort them.
This is probably the worst I have ever seen in this space since I’ve been keeping track of this. This is definitely not going to be the end.
The article continues:
For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who
have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail
and extort them.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no
evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage
people to click on malicious links, download malware or provide valuable private data.As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations
can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped,
researchers noted.“The international travel and hospitality industries have been devastated by the coronavirus crisis, with many companies struggling to survive, and millions
of people out of work,” researchers said. “By exposing so much data and putting so many people at risk in such a delicate time, Prestige Software could
face a PR disaster due to this breach.”Researchers contacted AWS directly, and the S3 bucket was secured the following day. Prestige, they said, confirmed that it owned the data. Threatpost
has reached out to Prestige for a comment on the incident.
We don’t know what these other details may be, but this is something that this company who does this type of thing should be aware of. The credit card processor has rules they need to follow including making sure they protect the credit card data. This is something that needs to be addressed. If they violated those rules, than they should be stripped of processing credit cards. This could effect millions!
The article states:
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no
evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage
people to click on malicious links, download malware or provide valuable private data.
As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations
can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped,
researchers noted.
That is the most important thing we can take out of this.
What to read
- Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
- Payment Card Industry Data Security Standard
Were you effected by this? Sound off, and let your voice be heard. This has got to be the worst thing I’ve ever seen, and I’m sure we are not done with the story yet. Oh boy.
Updated 19:09 11/9/20: with the following disclaimer:
The wikipedia article linked here may have lots of promotional sourcing, something frowned upon. Read it at your own risk, you may be able to find something elsewhere about the PCIDSS standard elsewhere or through a credible source linked within.
Informazioni sull'articolo
Forget going to a hotel … especially since records go back to 2013 … were you effected? was released on November 9, 2020 at 3:00 pm by tech in article commentary.
Last modified: November 9, 2020.
Comments (0)
No comments yet.
Leave a comment
You must be logged in to post a comment.
navigation menu
- Archives
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- Categories of this blog
- Subscribe to Blog via Email
- The tech blog’s pages
- Blogroll