The hospitality industry has long been an attractive target for hackers. With all virtual services available today, criminals might take advantage of anything from a vulnerable key card system to credit card details to personal information on guests.
The security experts at Website Planet, an ethical team that strives to protect the public, recently unearthed a serious error in a booking software known as Prestige Software. This mistake technically exposed the details of hundreds of thousands of people.
Thankfully, the flaw seems to have been discovered by a security team and not an opportunistic criminal. However, there are still plenty of consequences that stem from the company’s mistake. We’ll look at how it happened and what we can learn.
Who is Prestige Software?
Based in Spain, the company offers a channel management platform to the hospitality industry, one that many big names in the hospitality industry use. Dubbed Cloud Hospitality, the software automates reservation systems with websites like Expedia.
The software contained not just availability information though, but also credit card data, payment details, full names, email addresses, national ID numbers, guest names, and special guest requests. Prestige Software had a duty to protect these details as a third-party vendor.
A Faulty Bucket
Prestige Software relied on Amazon Web Services (AWS) for its storage platform. However, the resource that Prestigate Software was using, known as an S3 bucket, had been misconfigured. This is what Website Planet’s team noticed when they began to investigate the company. Because the information went back to 2013, more than 10 million log files were exposed.
Even after the data went live, new records will still being uploaded. A day after being notified about the leak, the S3 bucket was fixed. It’s unclear exactly how many people were affected by this though. After all, a single hotel reservation can involve multiple family members.
What Are the Consequences?
The consequences of this leak are far-reaching. This is true though Website Planet could not find one specific attack linked to the exposure. We’ll look a the key lessons here and how the hospitality industry can generally protect itself.
A loss of trust is the most obvious consequence for the company. The 24.4 GB of exposed data stretched across multiple platforms. Expedia, Hotels.com, Amadeus, Sabre, and Hotelbeds are just a few that were affected.
It can already be difficult to convince clients to work with third-party vendors. Hotels and OTAs will certainly be far less likely to work with Prestige Software, but they may eschew working with any external companies for fear of putting their customers at risk.
While Prestige Software tried to downplay the severity of its mistake, a spokesperson did say that all hotel booking companies were notified of what had occurred. This news has the power to destroy the company from the outside in. It’s a relatively minor error that went undiscovered for years, and a clear sign that no one was paying attention to the crucial details that stand in the way of the criminal element.
Just because there have been no reported hacks directly associated with the leak, doesn’t mean that it hasn’t (or won’t) occur. Criminals could have stumbled upon the data without making their discovery known. There might have been attacks that have occurred that were never connected with the software’s flaw.
It’s also possible that someone has already pulled the information and is just waiting to make their move. It casts further doubt on how third-party vendors organise and secure their information. The negligence behind this act begs the question of whether they’re taking the right kinds of precautions.
The most direct threat from the software leak is identity theft or other types of financial fraud. Guests are more likely to be the victim of a phishing scam or other kinds of a targeted attack. Criminals might use anything from email addresses to CVV numbers to worm their way into a person’s life and extract even more personal details from them.
Hackers might pose as a travel agent, change reservations, or show up at a hotel on someone else’s dime. They could even blackmail guests based on the details of their hotel stay.
What could be the sanctions?
Prestige Software has clearly breached many of the privacy laws in place, including the Payment Card Industry Data Security Standard (PCI DSS) as well as data regulations defined by the GDPR. Companies are expected to follow strict protocols to protect their customers, whether they’re intentionally hacked or not.
If Prestige Software doesn’t comply, it may be stripped entirely of its privileges to accept and process credit card payments. The company must report the breach and fix any vulnerabilities in their system or risk serious fines from the EU (in addition to legal action).
Damaging Press Coverage
Prestige Software is just one of many companies that offer a channel management platform. With the negative press coverage the company is receiving, it’s easy to see why companies like Expedia and Hotels.com would feel pressure from all sides to switch their connection technology.
Not only has Prestige Software put the details of millions of people at risk, but they did so for years before it was discovered by an outside security team. The hospitality industry is already at severe risk after the demand drop-off due to the pandemic. A competitor could easily use this news to their advantage, drawing business away from companies that could potentially leave their guests’ information in the wrong hands.
First and foremost, if your company was in any way affected by this leak, your customers need to be informed. They need to be given the opportunity to cancel or change anything from credit card information to email addresses on file.
You may also need to reevaluate your current security strategy. Despite the potential risks, most hotels don’t have IT teams that can help them make critical infrastructure decisions. It explains why businesses can sometimes choose the wrong vendors to work with.
A third-party storage solution will make all of the right promises to a company. Undoubtedly, the staff of Prestige Software believed that they were doing everything it could to keep clients’ from harm. However, clearly marketing spiel can’t replace the due diligence that hotels need to take to keep their guests protected.
If a hotel doesn’t have the capital to invest in qualified IT professionals, they at least need to ask for proof of auditing and routine monitoring. They could also consider bringing more storage under its own umbrella so they have more control over the use of information.
A customer booking a holiday ultimately has no real idea of how their information is being trafficked, organised, and stored – despite this information should be mentionned in the privacy policies.Data mapping plays a big role in how it all moves, even though most businesses often don’t know which data is mapped in the first place. It’s critical to know what’s happening from one location to the next.
Customers trust big names in the hospitality industry to keep their credit card details and personal information from prying eyes. While Prestige Software ultimately bears final responsibility, this won’t always stop its clients from being blamed by customers.
Preventing Data Breaches
It’s unfortunately common for companies to have major security flaws without anyone realising. The hacking industry is so lucrative that it’s often just a matter of limited resources as to why businesses have managed to avoid a successful data breach.
The best thing you can do is look for resources that will address these issues before they become leaks and to get proof at every step of the way. Whether the hospitality industry continues to use third-party vendors like Prestige is clearly still yet to be seen. If they do though, it’s clear that some changes will need to be made on both sides of the equation.
GDPR365 offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR). Click now on the button below to book a demo and see our software can speed up your compliance.