Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Security Privacy

Credit Card Numbers For Millions of Hotel Guests Exposed By Misconfigured Cloud Database (threatpost.com) 46

"A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket," reports Threatpost.

"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.

Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."

The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....

A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

This discussion has been archived. No new comments can be posted.

Credit Card Numbers For Millions of Hotel Guests Exposed By Misconfigured Cloud Database

Comments Filter:
  • by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Sunday November 15, 2020 @06:59AM (#60726578) Journal

    I'm frustrated that neither of the two most relevant questions to this story weren't answered in the summary, especially for one such as myself that does their fair share of online hotel reservations. For those like myself who are concerned, here are the answers from the article:

    “We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no evidence of this happening.”...Researchers contacted AWS directly, and the S3 bucket was secured the following day.

  • I guess now everyone involved gets a massive fine for this?
  • by Anonymous Coward

    Back around 2017 AWS introduced a bright orange "Public Access" pill to the S3 management interface that decorated any buckets that had been granted public access permissions. This was great and made it easy to monitor for and fix any buckets that got created with (or were later updated with) these permissions.

    But it didn't last. The current S3 management interface seems to have regressed because those pills don't appear any more and you're back to manually checking each S3 bucket by hand for public permiss

    • Withdrawing that "Pill" feature may mean AWS will have to share culpability unless they had good and legitimate reasons for that step. This is just speculation on my part, this kind of service is far from my area of expertise.
      Memo to self: run those self-tests again, the current edition of the German magazine C't goes into exactly that kind of stress testing - it is a very common problem and the people who offer such solutions when their customers don't understand how to configure them correctly. How much

      • by Anonymous Coward

        "This is just speculation on my part, this kind of service is far from my area of expertise."

        You recognize that you have no real clue what you're talking about, yet you still posted this. Why?

        Any time you can honestly start a post with "I'm just guessing about a topic I have no knowledge of", you should consider NOT POSTING.

        • This is Slashdot and I have seen some incredible misinformed speculation here on events where I was actually involved, and it was *not* labeled as such.

  • by AndyKron ( 937105 ) on Sunday November 15, 2020 @08:01AM (#60726672)
    Good thing they signed that EULA that absolves everybody of any responsibility.
    • Except that this isn't a company that deals with end-users. They host data for companies. No EULAs here.

  • by ytene ( 4376651 ) on Sunday November 15, 2020 @08:13AM (#60726694)
    The only way to address this is to enforce existing laws and strengthen them where necessary.

    In Europe, Data Privacy laws require that data be deleted once it is no longer "necessary" to the business. That means that Prestige Software, if they operate in Europe, better have a damned good reason for keeping records that go back to 2013. That damned good reason had better include why they needed to keep CVV numbers for 7 years. They had better be able to evidence why it was necessary and to show that the data was actually being used and what for [and no, for sale to advertisers and marketing companies cannot count].

    If they can't show that all of their actions were above board and strictly legal, we all need to hope that the EU throw the book at them. We need Prestige Software's management to be extradited to Europe to serve prison time. The new EU GDPR regulation carries with it a maximum penalty of 4% of worldwide gross turnover for systemic breaches. Compute that all the way back to when the GDPR came in to effect [mid-2018] and that might begin to serve as a warning to others.

    We keep seeing stories like this. The situation is getting worse, not better. The only way to stop this is to enact a punishment strong enough to discourage further abuse. The fact that the abuse continues is a clear indicator that the punishments we have are not sufficient. Send Prestige Software's Management to jail for 5-10 years and then ask all the other Financial Services Industry companies to go on record and attest that they are not doing the same thing. In each company, have the accountable managers put their name and signature on a legally binding document declaring they are not doing the same thing. Enact a minimum 5 year prison sentence for anyone whose name goes on an attestation document at a company subsequently found to be in breach. Hold people personally liable.

    Yes, this sounds a bit draconian, a bit brutal. But these bastards keep on abusing the personal data of millions of private citizens, people whose credit scores get trashed, who get defrauded through no fault of their own, and the scumbags get away with it. Enough.

    Enforce the law.
    • Re: (Score:3, Informative)

      by mrbester ( 200927 )

      "That damned good reason had better include why they needed to keep CVV numbers for 7 years."

      Seeing as there isn't any reason to keep CVV numbers for even 7ms, let alone 7 years, it's going to have to be spectacular. Heavy fines for breaching PCI already existed long before GDPR. For UK, that goes all the way back to 1974. There's also the added bonus that card issuers will blacklist violators so they can never handle transactions of any sort again, effectively putting them out of business.

      • "Q: Can card verification codes/values be stored for card-on-file or recurring transactions? A: A card verification code or value (also referred to a CAV2, CVC2, CVV2, or CID, depending on the payment brand) is the 3- or 4- digit number printed on the front or back of a payment card. These values are considered sensitive authentication data (SAD), which, in accordance with PCI DSS Requirement 3.2, must not be stored after authorization.* Card verification codes/values are typically used for authorization
        • There is one more thing we need the Payment Card Industry to provide us with: a mechanism that permits us to implement secure One-Time Pad authentication with cards.

          The technology to do this has been around, not for years, but for decades. The Payment Card Industry choose not to implement this because it would cost them a huge amount of money to do so, money that would eat in to their profits.

          If all payment cards had a physically embedded processor that included a unique, hardware-integrated identifie
    • From your post:

      Prestige Software, if they operate in Europe

      Looking at the article, the second link:

      Company: Prestige Software, based in Spain.

    • I don't know if there are any technical laws concerning this situation either. The main problem is that the programmers/maintainers trusted AWS, which is legally not a good idea (if you technically don't trust AWS, you wouldn't use it I guess). That means that the data should have been protected (encrypted), but that would only have slowed down hackers. The decryption key had to be there also, if this was an independent service.

      Are there any laws that say third-party hosting should be treated with extra car

      • by ytene ( 4376651 )
        This is the heart of the problem. If you implement security best practices operationally, for example by adopting use of Hardware Security Modules to handle the private keys of your digital certificates, then the moment you adopt the public cloud, you are going to hit problems. Yes, a public cloud provider will give you access to *their* HSM, installed on their premises, but does that mean that their technologists [some of whom are going to be working in India for a pittance of a salary] now have root acces
  • to bash once more on that easy target that is the cloud, for once the keyword here is "misconfigured". Someone without a clue didn't set the instance right and will, perhaps, lose their job - but sadly won't be prosecuted, which is what should happen for IT folks and their employers to finally take security seriously.

    • The key word here is "fuckfaces" because that's the only kind of people who store that kind of data longer than absolutely necessary.

    • ... because the problem first came about when the company made a decision to put PII and PCI data into a public cloud environment.

      Whilst this was likely done for economic reasons [the ability of cloud to offer an elastic storage and/or elastic compute capability is not in question], the basic truth is that a public cloud environment is built for the "lowest common denominator", i.e. designed by the cloud provider to offer a service that is favourable to as many customers as possible. Since part of that w
      • by 1s44c ( 552956 )

        The problems here were that the bucket was explicitly configured to allow public access, the objects in the bucket were explicitly configured to allow public access, no effective PCI audits were performed, and CVVs were stored in violation of PCI rules.

        The problem was not a failure of AWS itself, which is certified to hold PII, PCI, healthcare data, and is used by many banks.

    • by Entrope ( 68843 )

      Negligence isn't necessarily enough to save people from serious consequences (fingers or even prison time). And some of what this company did -- like retaining payment card data for so long -- is active malfeasance in itself.

    • While I agree with your basic idea, I wish to point out that shortcomings in IT systems are not always because the people doing the work failed at something: the fault could just as easily lie with management, who gave the order "You have till tomorrow to get [some product] finished, or you are out of a job!". If that is the case here, the fault likely lies with management, who put the IT-staff under undue pressure, which meant the IT-staff took whatever shortcuts needed taking in order to not loose their j
    • by 1s44c ( 552956 )

      The way I've seen this work is that one person sets things up wrong and it gets noticed internally, probably not immediately. Because the system works management beat down the people who want to fix it. Someone outside notices the error. The inept manager who blocked the fix passes the buck and keeps his job. The people who were literally begging to fix the problem but were not allowed get the blame.

    • by cusco ( 717999 )

      Someone without a clue didn't set the instance right

      When you set permissions on an S3 bucket how much of a clue do you need to have to not understand that when the interface says that you're about to make the bucket available to EVERYONE that it really is going to make it available to EVERYONE. It's not a subtle message, either. It actually makes me wonder if it was deliberate.

  • Me now think possibility of paying cash for all things good idea. Must pay more though.
    • Me now think possibility of paying cash for all things good idea. Must pay more though.

      You literally cannot reserve most hotel rooms without a CC.

      • Then no reservation. Maybe risk sleep in car.
        • These days staying in a hotel is risky, even "in these uncertain times" many hotels are failing to do basic cleaning like changing sheets, as they always have done. Yeah I really don't want to sleep in someone else's jizz at the best of times. And then there's bedbugs. This is probably one reason why RVing is continuing to gain in popularity. Makes me wish I'd bought a bunch of stock in Camping World. They usually do terribly tragic work (I know because I've fixed some of it, and re-done it correctly) but t

          • Ha Ha! Why change sheets? Stupid! Jizz funny!
          • Sleeping in your car for a night is much more comfortable than sharing your bed with insects for a few weeks/months until you can cough up hundreds to thousands of dollars and vacate the house for an afternoon to get rid of the bugs. It might take several rounds of that, actually. Probability of that goes up exponentially as the amount you spend goes down.

            The only time I'd ever consider staying in a hotel again is if I'm going to another continent that I can't drive to. That also gives you the opportunity t

            • We bought a bus and are doing an RV conversion, gradually. I've been too busy and subsequently tired to do much to it recently, though I really need to jump on finding the battery drain. It gets over 11 MPG (quite good for a bus) and the cost of a multi-night stay in a non-disgusting hotel will pay for quite a bit of fuel.

        • by 1s44c ( 552956 )

          You can't hire a car without a CC either.

  • Secure it will be they said.

    Epic fail

  • Using our PC's is becoming more and onerous, as they "protect" us - Windows defender is flagging perfectly innocent programs as trojans. We get nagged about two factor authentication except when Microsoft wants us to switch to something they provide. All of this turning some basic tasks into t first class pain in the ass.

    While companies give away our critical personal ID and Financial information of millions for free!

    Really, at some point, this is going to have to stop being our fault.

  • Companies need to be more transparent about what data they store and how they store it. There is no reason for a company to keep personal and financial information in long term storage...use what you need and then delete it and move on.
  • “These websites are not responsible for any data exposed as a result.”

    What a load of horseshit. If your website doesn't want to be responsible for its users' data getting breached, don't partner with or outsource to companies who manage to get the data breached. QED.

  • I use S3 in my daily work. I administer our AWS account. Blocking all public access without the option to override is an option right on the main S3 page [amazon.com].

    In all reality, AWS should have this enabled by default for all new accounts with big warnings if you try to disable it.

    Sure, if you do this to an existing system, there may be bugs, and people will need to get authorized to access files, but to to otherwise just seems foolish and asking to be the subject of one of these articles.

Genius is ten percent inspiration and fifty percent capital gains.

Working...