Exposed database left terabyte of travelers' data open to the public

CNET Technology 3 weeks ago

When it comes to travel, most people are concerned with planning their trip, getting the best price and making sure they've packed everything. Now they also need to worry about whether their reservation companies have properly secured their data: Security researchers found that one of Europe's largest hotel booking companies left more than a terabyte of sensitive data exposed on a public server.

The exposed database contained travelers' information like names, home addresses, lodging, children's personal information, credit card numbers and thousands of passwords stored in plaintext, the security researchers said Wednesday. The database stores information on 140,000 clients, each of which could be an individual, a group of travelers or an organization.

The database belongs to Gekko Group, a subsidiary of France-based AccorHotels, Europe's largest hospitality company. Gekko Group handles business travel and luxury travel with more than 600,000 hotels across the world, according to its website. AccorHotels referred to Gekko Group for comment. 

Fabrice Perdoncini, Gekko Group's CEO, said that the company has secured the database and is launching an internal investigation on its IT systems.

"Ensuring the adequate protection of our clients' data is of utmost importance to Gekko Group, a B2B company," Perdoncini said in a statement. "We acknowledge the seriousness of this matter and confirm that no malicious use or misuse of data has been reported so far."  

The company said that it was informing its affected clients and that less than 1,000 unencrypted credit card numbers were stored on the database. But more credit card numbers could have been seen in document scans stored on the server.

The pile of leaked passwords contained the credentials for the World Health Organization, and a potential hacker could have used those credentials to book travel using the group's budget, the security researchers said. The WHO didn't respond to a request for comment. 

The discovery came via independent security researchers Noam Rotem and Ran Locar, who worked with Israeli security company VPNMentor to find the exposed database. "It's unfortunately not the first time we see a data breach of this scale with that type of sensitive information. It's sadly a much more common issue than one would think," Rotem said in a statement.

The researchers found the database, which is hosted on Elasticsearch, through an online scan, while looking for servers that lacked proper protections.

"This breach represents a serious lapse in data security by Gekko Group and its subsidiaries, compromising the privacy of their customers, clients, AccorHotels, and the businesses themselves," VPNMentor said in a blog post Wednesday.

As more companies move to store their data on cloud servers, they're driving cybersecurity concerns about properly protecting sensitive data. Security researchers have found volumes of sensitive data exposed online in unsecured databases as they look to warn companies to protect that data before a malicious hacker finds it. 

In the past year, researchers found exposed databases showing debt from millions of people, along with open servers hosting millions of Facebook records. While security researchers found those first, hackers have also taken advantage of open servers. In July, a hacker allegedly stole the credit card applications of more than 100 million US citizens from Capital One's Amazon Web Services cloud server.

Rotem and Locar said they reported the exposed database to Gekko Group and AccorHotels on Nov. 7 and got a  response on Nov. 13. The company told the researchers that it's since secured the server, according to Rotem and Locar.

Even if you've never interacted with those two companies, data from their partners was also exposed, the researchers said. The database had a significant amount of data from websites like Booking.com and Hotelbeds.com open to the public, including personal information and credit card numbers, researchers said. 

Booking.com and Hotelbeds.com didn't respond to a request for comment.

VPNMentor's researchers also saw travel itineraries left on the open server, like tickets to Euro Disney and travel plans between hotels and airports with personal information.

The server was hosted in France, but the affected travelers came from several countries including Spain, the United Kingdom, the Netherlands, Portugal, France, Belgium, Italy and Israel, researchers said.  

"For two companies of their respective sizes and market shares, Gekko Group and AccorHotels would be expected to have more robust data security," VPNMentor said. "By exposing such a huge amount of sensitive data, they will likely face questions over how this happened, and their wider data security policies for all brands they own." 


Source link
Read also:
RT › 2 weeks ago
A massive four-terabyte trove of sensitive personal data belonging to over a billion profiles has been found on an unsecured Google Cloud server - its owner still a mystery - in one of the largest single-source data leaks ever. Read Full Article at...
Cleveland › 1 month ago
Find home sales and other property transfers in Cuyahoga County with this searchable database. Database includes all sales, transfers since 2007.
The Sun › Technology › 1 week ago
MILLIONS of Americans may have had their text messages and passwords exposed online in a massive security breach, researchers say. A database housing tens of millions of private texts and account usernames was reportedly left open online for an...
The Sun › Technology › 1 week ago
MILLIONS of Americans may have had their texts and passwords exposed online in a massive security breach, researchers say. A database housing tens of millions of private texts and usernames was reportedly left open online for an extended period of time...
The Hill › 3 weeks ago
Sen. Ron Johnson (R-Wis.) said the whistleblower that spurred the House impeachment inquiry "exposed things that didn't need to be exposed."Johnson said the allegations the whistleblower released in the formal comp...
Business Insider › Technology › 6 days ago
The personal data of hundreds of thousands of cell subscribers was left exposed on an unprotected server. The exposure, first reported by TechCrunch, occurred after a contractor working with Sprint left subscribers' phone bills unprotected on a server...
Forbes › 2 months ago
A database that allegedly includes personal data of almost half the population of Brazil is being auctioned on the dark web.
Sputnik International › Technology › 1 month ago
Former members of the now-defunct, pro-fascist online forum Iron March may face real-life consequences after a database containing everything from usernames to IP addresses was published by an anonymous hacker. It’s now being sifted through by law...
Forbes › 1 month ago
You can think of a graph database as a set of interconnected circles (nodes) and each node represents a person, a product, a place or ‘thing’ that we want to build into our data universe.
RT › 11 hours ago
A controversial genetics database has turned over 1.3 million customer profiles – believed to overlap with 60 percent of white Americans’ DNA – to a forensics firm that mines genetic data for law enforcement. What could go wrong? Read Full...
Sign In

Sign in to follow sources and tags you love, and get personalized stories.

Continue with Google
OR