The personal data of an estimated 140,000 travelers from at least eight countries were accessible through a poorly secured database on a public server. The database was managed by the Gekko Group, a subsidiary of Accor Hotels and one of Europe’s largest hospitality companies.
One of the Largest Data Breaches Ever
Security researchers Ran Locar and Noam Rotem came across the data breach earlier this month. The team scans the internet for servers with insufficient security. According to Locar, it is “one of the largest ever” as a huge amount of data was available.
In total, more than a terabyte of sensitive data was left exposed on a public server belonging to the Gekko Group. Based in France, the group is a subsidiary of Accor Hotels and one of Europe’s largest hospitality companies. It has 600,000 hotels in its portfolio from all over the world and owns several smaller hospitality brands.
The compromised database contains personal information on hundreds of thousands of travelers, including names, accounts, passwords, e-mail addresses, telephone numbers and in some cases even credit card numbers. It was stored on a public server, accessible to everyone. The data wasn’t even encrypted, allowing it to be read in plaintext without difficulty.
What We Don’t Know
Even more worrisome is that data from travelers who have never dealt directly with Gekko Group may have been visible as well. This is because the database also contained data from websites and platforms which the Gekko Group’s systems communicate with, such as Booking.com and Hotelbeds.com.
Affected travelers came from several countries, including the United Kingdom, Belgium, the Netherlands, France, Portugal, Spain, Italy and Israel. The researchers were also able to view travel itineraries, personal identifiable information of children, home addresses and other forms of travel and hospitality-based information such as train tickets, excursions and tours.
In theory, the leak could have allowed anyone to log into private accounts and book tickets using the account’s credit card, cancel bookings, access invoices and use a company’s travel budget. It also exposed the Gekko Group and associated companies to various forms of fraud and attack, including account takeover, phishing campaigns, identity theft, ransomware and more.
A Week of Emails Before Leak was Closed
The breach was first reported on 7 November, first to AccorHotels and shortly after to the Gekko Group. The hosting company and eventually even France’s independent regulatory body for data security and privacy CNIL, were informed. Finally, the Gekko Group confirmed that the leak was closed on 13 November,.
The Gekko Group is now investigating its IT systems and says to have contacted the victims. While no malicious use has been reported so far, the Gekko Group will likely face further scrutiny over how this happened and even potential legal action.
The breach could have been easily avoided if the Gekko Group had taken some basic security measures, such as secure servers and proper access rules. They could also have gotten the help from a managed security service provider.
Users are advised to immediately change passwords and user names for any platform the Gekko Group is affiliated with. How to create a secure password?