Online hotel and travel booking, personal data at risk: how to defend yourself

A security flaw due to a server misconfiguration has put the data of those who book on the major online booking platforms at risk for years

Bad news for hotel and travel booking sites: a flaw in the system may have put credit cards and personal data at risk. A software may have allowed the data of customers of online platforms to be leaked, all due to a misconfiguration of the Amazon Web Services cloud platform. It is not an online travel scam, but a technical error.

The data breach was reported by Website Planet, which also revealed some information about the extent of the damage. The information potentially at risk would cover accounts and bookings made since 2013. The site's security team also reported that the breach was due to poor storage of user data by Prestige Software, a Madrid- and Barcelona-based company that provides a booking management program called Cloud Hospitality, which automatically manages availability on booking portals.

Data at risk, Cloud Hospitality is to blame

The Cloud Hospitality software, used to organize availability on travel booking sites, is not directly responsible for the data exposure. In fact, at the root of the massive data breach would be Amazon's cloud, hosted on Amazon Web Services S3.

Cloud Hospitality has been chosen by many for managing reservations around the world, so much so that it has collected over 10 million individual log files since 2013. Within hours of the discovery, Amazon's cloud server was still up and running with over 180 thousand bookings made in August 2020 alone.

Cloud Hospitality, what data is at risk

The data exposed by the data breach is a lot, some of it of particular importance. In addition to the full names, documents and email addresses included in the reservations, the references of the reservations themselves and the details of the credit cards used both to block the reservation and for the payments, if made at the same time as the reservation, would be unencrypted.

Of the cards, in particular, the data at risk are the numbers and full names of the owners, the CVV number and the expiration date. Therefore, it is advisable to keep an eye on your payment methods in order to avoid unpleasant surprises on your bank account in the coming weeks.

Data at risk, which websites are affected

According to Website Planet, data processed through a large number of web portals, among the most used for reservations, have been affected. In addition to Booking.com and Expedia, Agoda, Hotels.com, Amadeus, Sabre, Omnibees and Hotelbeds were also affected.