French Hotel Giant Leaks 1TB+ of Client Data

Written by

A leading European hotel booking platform has leaked over 1TB of data on customers, clients and partners thanks to an unsecured Elasticsearch database, exposing them to account takeover, identity theft and financial fraud.

Researchers at vpnMentor discovered the database in question on an unsecured and unencrypted server. It belonged to French B2B hotel booking firm Gekko Group, which is said to have a client list of 600,000 global hotels and is a subsidiary of Europe’s largest hotel group, AccorHotels.

Despite reaching out to AccorHotels and Gekko Group immediately after discovering the privacy snafu on November 7, it took the former a week to respond and confirm that the leak had been plugged.

The data itself came from multiple different businesses within the Gekko Group and the travel agencies and booking sites they interact with, meaning many customers who had no direct relationship with the B2B giant were affected across Europe — including in the UK, France, Portugal, Spain and the Netherlands, as well as Israel.

The main subsidiaries affected in the leak were Teldar Travel, a B2B booking system for European travel agents, and Infinite Hotels, which handles wholesale inventory and booking data distribution, according to vpnMentor.

External platforms they interact with that were also caught in the incident included Booking.com, Hotelbeds.com, Mondial Assistance and more.

Exposed data included reservation details such as full names and addresses as well as invoices including unencrypted payment data for travel agents and their customers. The researchers were also able to discover plain text passwords for accounts on Gekko Group platforms.

“With these, hackers could enter accounts and charge purchases to virtual credit cards stored within, maxing them out before AccorHotels or Gekko Group can charge clients for reservations, and similar bookings made. This could lead to serious losses for the company,” vpnMentor claimed.

“The contents of the database could also help hackers target the same companies in other ways. Using the information and accesses exposed, they could create effective phishing campaigns, or target companies with various forms of malicious software attacks: malware, spyware, ransomware, and more.”

Hackers could also use the data to target holidaymakers themselves with convincing phishing attacks, the firm argued.

“Enterprise infrastructures are filled with tens of thousands of cloud resources that create opportunities for leakage. In this case, it’s likely that an identity changed the privacy configurations for a legitimate reason for a single Elasticsearch server, exposing more than a terabyte of sensitive data,” explained Balaji Parimi, CEO of CloudKnox Security.

“Because companies struggle so badly with visibility into complex multi-cloud environments, finding these vulnerabilities can be like looking for a needle in a haystack. At this scale, a prevention-first approach is critical.”

What’s hot on Infosecurity Magazine?