Popular travel booking sites are hit by huge data breach exposing millions of credit card numbers

Popular travel booking sites are hit by huge data breach exposing millions of guests’ credit card numbers and personal details – could hackers have your info?

  • Major booking platforms use cloud-based reservation service Prestige Software
  • The company stored seven years’ worth of credit card data from hotel guests
  • According to internet security group, the company did not protect user data 
  • Daily Mail Australia has contacted Prestige Software for comment 

Australians holidaymaker could have their credit card numbers and personal details stolen in a massive data breach of booking websites.

Expedia, Agoda, Booking.com, Hotels.com and several other companies that all use the Cloud Hospitality backend, exposing millions to potential fraud. 

Spanish company Prestige Software owns the software that automates and synchronises hotel availabilities.

A mass data breach has hit popular travel booking sites including Expedia (pictured), potentially exposing millions of Australians to fraud

Expedia, Agoda, Booking.com, Hotels.com (pictured) and several other companies that all use the Cloud Hospitality backend

Expedia, Agoda, Booking.com, Hotels.com (pictured) and several other companies that all use the Cloud Hospitality backend

According to Website Planet, an internet security group that exposes large-scale data violations, the software company stored up to seven years’ worth of credit card data from hotel guests and travel agents ‘without any protection in place’. 

Whether the vulnerable data had actually been stolen by hackers or used for nefarious purposes is not known.

Expedia said it was aware of the breach, but that it did not impact its systems directly.

Booking sites used by Australians impacted by the breach 

Agoda 

Booking.com

Expedia

Hotels.com 

Sabre

Source: Website Planet 

‘The security of our customers is a key priority for us and something we take very seriously,’ it said.

‘We continue to work with Cloud Hospitality to assess the impact it may have had on any of our customers.’

Daily Mail Australia has contacted Prestige Software, Agoda, Booking.com, Hotels.com for comment.

Customers’ names, addresses, phone numbers, identification documents, credit card information and private booking details were reportedly left exposed.

‘With detailed information about a person’s hotel reservation, a hacker with access to the exposed files could take these details, contact the hotel, and change the dates and names on the reservation,’ Website Planet said.

‘They could then take over someone’s holiday without paying, or pose as a travel agent and sell the reservations to unsuspecting customers. They could, of course, do this more than once.’

It also revealed that hackers could use identifying information to find embarrassing material about hotel guests and use it for blackmail.

The breach was discovered due to a flaw in a popular form of cloud-based storage, known as the Amazon Web Services (AWS) S3 bucket – which meant that more than 10 million individual files were left wide open. 

Each log contained sensitive and identifiable information from customers who used the online booking systems to make travel plans. 

Each log contained sensitive and identifiable information from customers who used the online booking systems to make travel plans (Booking.com pictured)

Each log contained sensitive and identifiable information from customers who used the online booking systems to make travel plans (Booking.com pictured)

Pictured: The breach in Amazon Web Services S3 bucket showing identifiable information from customers who used the online booking systems to make travel plans

Pictured: The breach in Amazon Web Services S3 bucket showing identifiable information from customers who used the online booking systems to make travel plans

Website Planet contacted AWS and the S3 bucket was secured the following day, but the group could not confirm whether any data was stolen before the breach was discovered.

It warned all customers who used online booking platforms to contact each provider and ask about data security.

Prestige Software may lose the ability to accept credit card payments, making it almost impossible for the company to operate. 

Daily Mail Australia is not suggesting Expedia, Agoda, Booking.com or Hotels.com are responsible for data violations within systems operated by Prestige Software.

Prestige Software may lose the ability to accept credit card payments, making it almost impossible for the company to operate (Agoda pictured)

Prestige Software may lose the ability to accept credit card payments, making it almost impossible for the company to operate (Agoda pictured)