Credit Card Numbers For Millions of Hotel Guests Exposed By Misconfigured Cloud Database (threatpost.com) 46
"A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket," reports Threatpost.
"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.
Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."
The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.
"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.
Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."
The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.
Is the hole closed? Are we exposed? (Score:5, Informative)
I'm frustrated that neither of the two most relevant questions to this story weren't answered in the summary, especially for one such as myself that does their fair share of online hotel reservations. For those like myself who are concerned, here are the answers from the article:
“We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” researchers said. “So far, there is no evidence of this happening.”...Researchers contacted AWS directly, and the S3 bucket was secured the following day.
Re: Is the hole closed? Are we exposed? (Score:1)
the cvv too? (Score:2)
Re:the cvv too? (Score:4)
Judging from having read the two articles linked, Prestige Software is not going to survive this (my conclusion). They are going to be looking at a massive fine and they will have lost the trust of their customers.
Re: the cvv too? (Score:2)
Not to mention a potential class action suit.
Re: (Score:3)
They'll probably lose their PCI certification, which allows them to process credit cards.
Re: (Score:1)
Amazon S3 seems to have regressed (Score:2)
Back around 2017 AWS introduced a bright orange "Public Access" pill to the S3 management interface that decorated any buckets that had been granted public access permissions. This was great and made it easy to monitor for and fix any buckets that got created with (or were later updated with) these permissions.
But it didn't last. The current S3 management interface seems to have regressed because those pills don't appear any more and you're back to manually checking each S3 bucket by hand for public permiss
Re: (Score:2)
Withdrawing that "Pill" feature may mean AWS will have to share culpability unless they had good and legitimate reasons for that step. This is just speculation on my part, this kind of service is far from my area of expertise.
Memo to self: run those self-tests again, the current edition of the German magazine C't goes into exactly that kind of stress testing - it is a very common problem and the people who offer such solutions when their customers don't understand how to configure them correctly. How much
Re: (Score:1)
"This is just speculation on my part, this kind of service is far from my area of expertise."
You recognize that you have no real clue what you're talking about, yet you still posted this. Why?
Any time you can honestly start a post with "I'm just guessing about a topic I have no knowledge of", you should consider NOT POSTING.
Re: (Score:2)
This is Slashdot and I have seen some incredible misinformed speculation here on events where I was actually involved, and it was *not* labeled as such.
Re: (Score:2)
This is the fault of whatever idiot created the S3 bucket. You have to deliberately allow public access to it, and there are multiple warnings when you do it. So they 1) enabled access deliberately, and 2) left it that way. Whoever caused this fiasco needs to be banned from working in tech.
nobody done it (Score:3)
Re: (Score:2)
Except that this isn't a company that deals with end-users. They host data for companies. No EULAs here.
Stricter Legislation and Enforcement (Score:5, Interesting)
In Europe, Data Privacy laws require that data be deleted once it is no longer "necessary" to the business. That means that Prestige Software, if they operate in Europe, better have a damned good reason for keeping records that go back to 2013. That damned good reason had better include why they needed to keep CVV numbers for 7 years. They had better be able to evidence why it was necessary and to show that the data was actually being used and what for [and no, for sale to advertisers and marketing companies cannot count].
If they can't show that all of their actions were above board and strictly legal, we all need to hope that the EU throw the book at them. We need Prestige Software's management to be extradited to Europe to serve prison time. The new EU GDPR regulation carries with it a maximum penalty of 4% of worldwide gross turnover for systemic breaches. Compute that all the way back to when the GDPR came in to effect [mid-2018] and that might begin to serve as a warning to others.
We keep seeing stories like this. The situation is getting worse, not better. The only way to stop this is to enact a punishment strong enough to discourage further abuse. The fact that the abuse continues is a clear indicator that the punishments we have are not sufficient. Send Prestige Software's Management to jail for 5-10 years and then ask all the other Financial Services Industry companies to go on record and attest that they are not doing the same thing. In each company, have the accountable managers put their name and signature on a legally binding document declaring they are not doing the same thing. Enact a minimum 5 year prison sentence for anyone whose name goes on an attestation document at a company subsequently found to be in breach. Hold people personally liable.
Yes, this sounds a bit draconian, a bit brutal. But these bastards keep on abusing the personal data of millions of private citizens, people whose credit scores get trashed, who get defrauded through no fault of their own, and the scumbags get away with it. Enough.
Enforce the law.
Re: (Score:3, Informative)
"That damned good reason had better include why they needed to keep CVV numbers for 7 years."
Seeing as there isn't any reason to keep CVV numbers for even 7ms, let alone 7 years, it's going to have to be spectacular. Heavy fines for breaching PCI already existed long before GDPR. For UK, that goes all the way back to 1974. There's also the added bonus that card issuers will blacklist violators so they can never handle transactions of any sort again, effectively putting them out of business.
Re: Stricter Legislation and Enforcement (Score:2)
And a Technical Enhancement (Score:2)
The technology to do this has been around, not for years, but for decades. The Payment Card Industry choose not to implement this because it would cost them a huge amount of money to do so, money that would eat in to their profits.
If all payment cards had a physically embedded processor that included a unique, hardware-integrated identifie
Re: (Score:2)
From your post:
Looking at the article, the second link:
Re: (Score:2)
I don't know if there are any technical laws concerning this situation either. The main problem is that the programmers/maintainers trusted AWS, which is legally not a good idea (if you technically don't trust AWS, you wouldn't use it I guess). That means that the data should have been protected (encrypted), but that would only have slowed down hackers. The decryption key had to be there also, if this was an independent service.
Are there any laws that say third-party hosting should be treated with extra car
Re: (Score:2)
As tempting as it is (Score:2)
to bash once more on that easy target that is the cloud, for once the keyword here is "misconfigured". Someone without a clue didn't set the instance right and will, perhaps, lose their job - but sadly won't be prosecuted, which is what should happen for IT folks and their employers to finally take security seriously.
Re: (Score:2)
The key word here is "fuckfaces" because that's the only kind of people who store that kind of data longer than absolutely necessary.
It's More Than That... (Score:2)
Whilst this was likely done for economic reasons [the ability of cloud to offer an elastic storage and/or elastic compute capability is not in question], the basic truth is that a public cloud environment is built for the "lowest common denominator", i.e. designed by the cloud provider to offer a service that is favourable to as many customers as possible. Since part of that w
Re: (Score:2)
The problems here were that the bucket was explicitly configured to allow public access, the objects in the bucket were explicitly configured to allow public access, no effective PCI audits were performed, and CVVs were stored in violation of PCI rules.
The problem was not a failure of AWS itself, which is certified to hold PII, PCI, healthcare data, and is used by many banks.
Re: (Score:2)
Negligence isn't necessarily enough to save people from serious consequences (fingers or even prison time). And some of what this company did -- like retaining payment card data for so long -- is active malfeasance in itself.
Re: (Score:3)
Re: (Score:3)
The way I've seen this work is that one person sets things up wrong and it gets noticed internally, probably not immediately. Because the system works management beat down the people who want to fix it. Someone outside notices the error. The inept manager who blocked the fix passes the buck and keeps his job. The people who were literally begging to fix the problem but were not allowed get the blame.
Re: (Score:2)
Someone without a clue didn't set the instance right
When you set permissions on an S3 bucket how much of a clue do you need to have to not understand that when the interface says that you're about to make the bucket available to EVERYONE that it really is going to make it available to EVERYONE. It's not a subtle message, either. It actually makes me wonder if it was deliberate.
Cash (Score:2)
Re: (Score:2)
Me now think possibility of paying cash for all things good idea. Must pay more though.
You literally cannot reserve most hotel rooms without a CC.
Re: (Score:2)
Re: (Score:2)
These days staying in a hotel is risky, even "in these uncertain times" many hotels are failing to do basic cleaning like changing sheets, as they always have done. Yeah I really don't want to sleep in someone else's jizz at the best of times. And then there's bedbugs. This is probably one reason why RVing is continuing to gain in popularity. Makes me wish I'd bought a bunch of stock in Camping World. They usually do terribly tragic work (I know because I've fixed some of it, and re-done it correctly) but t
Re: (Score:1)
Re: (Score:2)
Sleeping in your car for a night is much more comfortable than sharing your bed with insects for a few weeks/months until you can cough up hundreds to thousands of dollars and vacate the house for an afternoon to get rid of the bugs. It might take several rounds of that, actually. Probability of that goes up exponentially as the amount you spend goes down.
The only time I'd ever consider staying in a hotel again is if I'm going to another continent that I can't drive to. That also gives you the opportunity t
Re: (Score:3)
We bought a bus and are doing an RV conversion, gradually. I've been too busy and subsequently tired to do much to it recently, though I really need to jump on finding the battery drain. It gets over 11 MPG (quite good for a bus) and the cost of a multi-night stay in a non-disgusting hotel will pay for quite a bit of fuel.
Re: (Score:2)
You can't hire a car without a CC either.
Put it all on the cloud they said (Score:2)
Secure it will be they said.
Epic fail
The security conundrum (Score:2)
While companies give away our critical personal ID and Financial information of millions for free!
Really, at some point, this is going to have to stop being our fault.
Need more transparency... (Score:1)
“websites not responsible for any data expos (Score:2)
“These websites are not responsible for any data exposed as a result.”
What a load of horseshit. If your website doesn't want to be responsible for its users' data getting breached, don't partner with or outsource to companies who manage to get the data breached. QED.
How hard is it really? (Score:2)
I use S3 in my daily work. I administer our AWS account. Blocking all public access without the option to override is an option right on the main S3 page [amazon.com].
In all reality, AWS should have this enabled by default for all new accounts with big warnings if you try to disable it.
Sure, if you do this to an existing system, there may be bugs, and people will need to get authorized to access files, but to to otherwise just seems foolish and asking to be the subject of one of these articles.