A hotel reservation platform has exposed users’ data along with the details of at least 10 million customers worldwide. This could affect anyone who has booked a room via an online booking site in the last seven years.
Here’s what you need to know about this massive leak, how this can possibly affect you, and what you can do about it.
Which Vacation Booking Sites Were Affected?
The Spain-based Prestige Software that’s responsible for a hotel reservation system has been improperly storing several years’ worth of guest data on a misconfigured AWS S3 bucket, a popular cloud storage resource.
Users with accounts on the following sites should take steps to secure their data:
- Agoda
- Amadeus
- Booking.com
- Expedia
- Hotels.com
- Hotelbeds
- Omnibeds
- Sabre
More have been affected, but those are the highest-profile ones.
This is not a complete list since Website Planet, who exposed the data breach, hasn’t reviewed all the exposed data yet so there may be more. This could also affect other smaller or lesser-known booking sites that may have used the popular hotel reservation platform.
If you traveled anytime within the last few years, review your accounts to see if you booked any reservations online and so left details in one of the affected sites.
What Kind of Customer Data Was Exposed?
At least 10 million log files dating back to 2013 were leaked. The S3 bucket was still active and in use and new customer logins were still recorded hours after Website Planet made the discovery.
Among the sensitive data exposed was Personally Identifiable Information (PII) like customer’s full name, email addresses, phone numbers—even national ID numbers. Ever recall typing your passport number somewhere online?
It has your credit card number, cardholder’s name, and expiration date and CVV too, alongside other payment details.
There are also details of reservations like dates of stay, price per night, additional requests, number of people, and yes, guest names. If you’ve had a secret ‘rendezvous’ you wouldn’t want anyone to know about, you should be worried.
What Can Cybercriminals Do With Your Information?
Website Planet contacted AWS directly who then secured the S3 bucket right away. But the team cannot tell for sure if someone else found the data before they did.
So there is a chance that your information’s already being peddled on the dark web while you’re reading this. You should be wondering what cybercriminals can do with your information anyway.
Aside from blackmailing you with the juicy information they have in hand, data like this is like a gold mine for cybercriminals.
Online Identity Theft
The first thing that comes to mind when we talk of data leaks is identity fraud.
Cybercriminals can use your information to open new credit cards in your name or a line of credit. They can use your credit or debit cards for purchases, or your identity to rent an apartment. Some can use your information to get health insurance or medical care.
Phishing
Cybercriminals can also include your email in their phishing campaigns.
And since they have your other information too i.e. bank details, they can craft an email that would look like something you’d receive from your bank, complete with your credit card number. They will then send you malicious links or attachments to download malware into your computer.
Your information could be used to victimize your friends or colleagues by pretending to be you and then reaching out to all your contacts. They may trick them into sending money or downloading an infected file.
Target Wealthy Individuals for Other Scams
Scammers can also target customers who may have booked rooms in pricey hotels (and thus have more money) for more elaborate scams or extortion schemes.
Much of the information in the data leak can be used to profile a person and provide enough information for a cybercriminal to craft a follow-up spear-phishing or whaling attack.
Holiday Takeover
The data leak includes all information about future holidays. Cybercriminals can use this to call the hotel and change the reservation date and names.
Yes, they can take over your vacation or sell these reservations to others.
What Can You Do If Your Data Has Been Compromised?
Should you be worried about this? So far, there hasn’t been any reported cybercrime that can be traced back to the leak. But since there is no way to know if the data exposed was found by someone else before Website Planet, you can be a sitting duck at this point.
Fortunately, there are things you can do about it.
Check If You Were Part of the Leak
You may not remember booking a trip in 2013 but there’s a way to check, especially through your Google account. Look through your settings o see if there’s an alert that says “critical security issues found”. This will list all the sites that are linked to your account that may have been part of a breach, including this travel data leak.
Under this section, you can also check all the other linked sites, like those where you’ve recycled your password. Recycling your password is never a good idea since it will allow hackers to get into your other accounts just by hacking into one.
Otherwise, you can look for email address compromises using Have I Been Pwned. It’s worth searching your Inbox for historic uses of booking sites too.
Watch Out for Phishing Emails
Monitor your Inbox and watch out for suspicious mails.
Make sure your AV’s updated so it can detect malware in attachments and phishing links within emails.
Be on the lookout for other emails and notifications that could be a sign someone else is trying to create accounts under your name. Check for emails that alert you about signing up or may tell you about a change in your other accounts.
Don’t click on links within emails. Instead, go to official websites using a different tab, browser, or device.
Call Your Bank
It’s worth calling your bank to inform them that your active account might be part of a recent data leak. Ask them for ways they can help secure your account.
Set up Two-Factor Authentication (2FA) for your bank apps, and other websites where you have sensitive information.
Place a Credit Freeze
You may also want to consider placing a security freeze on your credit report. This will make it difficult for identity thieves to create new accounts or open a line of credit in your name.
No, freezing it will not affect your credit score.
Ditch Your Travel Accounts For Now
With lockdowns either currently in place and imminent in other parts of the world, it looks like people won’t be traveling as much right now. Consider removing your travel booking accounts for short time and just set up a new one when you are ready to travel again.
Monitor Your Accounts
Monitor your credit or debit accounts and watch out for fraudulent transactions. Don’t recognize a transaction? Contact your bank or
Guard Your Data
Your data is a precious commodity. Know that there are people who may try to get their hands on them for illegal activities.
Always keep yourself informed about data breaches so you’ll know if your information’s been compromised. And practice digital hygiene by deleting old accounts or updating your security settings.