Forget going to a hotel … especially since records go back to 2013 … were you effected? from blog The Technology blog and podcast

Forget going to a hotel … especially since records go back to 2013 … were you effected?

I’m not going to say that 10 million records is nothing, especially with the billions of records that have already been taken and potentially used already.

In an article written by Threatpost, we are learning that a processor that many chains of hotels used had a misconfiguration in their Amazon S3 bucket that exposed millions of records going all the way back to 2013.

The records, according to the article, include names, credit card numbers including CVV, reservation info, and potentially more.

What fraudsters and scammers can do according to the article can be anything from credit card fraud, blackmail, and potentially much more.

The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests;
card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates
of a stay, special requests made by guests, number of people, guest names and more.

Continuing the article says:

The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees,
Sabre and more.
“Every website and booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. “These websites are not responsible
for any data exposed as a result.”
Hotel guests affected could be the targets of a wide range of attacks, from identity theft and phishing to someone hijacking their vacations, researchers
said. For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who
have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail
and extort them.

This is probably the worst I have ever seen in this space since I’ve been keeping track of this. This is definitely not going to be the end.

The article continues:

For instance, they pointed out that cybercriminals could use details of hotel stays to create convincing scams and target wealthy individuals who
have stayed at expensive hotels. And if any hotel stays revealed embarrassing or compromising info about a person’s life, it could be used to blackmail
and extort them.
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no
evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage
people to click on malicious links, download malware or provide valuable private data.

As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations
can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped,
researchers noted.

“The international travel and hospitality industries have been devastated by the coronavirus crisis, with many companies struggling to survive, and millions
of people out of work,” researchers said. “By exposing so much data and putting so many people at risk in such a delicate time, Prestige Software could
face a PR disaster due to this breach.”

Researchers contacted AWS directly, and the S3 bucket was secured the following day. Prestige, they said, confirmed that it owned the data. Threatpost
has reached out to Prestige for a comment on the incident.

We don’t know what these other details may be, but this is something that this company who does this type of thing should be aware of. The credit card processor has rules they need to follow including making sure they protect the credit card data. This is something that needs to be addressed. If they violated those rules, than they should be stripped of processing credit cards. This could effect millions!

The article states:

“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no
evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”
Other attack scenarios include credit-card fraud and longer scam efforts where an attacker could use the details to establish trust, and then ask encourage
people to click on malicious links, download malware or provide valuable private data.
As for Prestige, it’s subject to General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. GDPR violations
can result in large fines. And non-compliance to the PCI DSS may mean that Prestige’s ability to accept and process credit-card payments will be stripped,
researchers noted.

That is the most important thing we can take out of this.

What to read

• Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
• Payment Card Industry Data Security Standard

Were you effected by this? Sound off, and let your voice be heard. This has got to be the worst thing I’ve ever seen, and I’m sure we are not done with the story yet. Oh boy.

Updated 19:09 11/9/20: with the following disclaimer:

The wikipedia article linked here may have lots of promotional sourcing, something frowned upon. Read it at your own risk, you may be able to find something elsewhere about the PCIDSS standard elsewhere or through a credible source linked within.

---

Informazioni sull'articolo

Forget going to a hotel … especially since records go back to 2013 … were you effected? was released on November 9, 2020 at 3:00 pm by tech in article commentary.
Last modified: November 9, 2020.

---

Comments (0)

No comments yet.

You must be logged in to post a comment.

go to sections menu

---