The French BTB hotel booking firm Gekko Group, a subsidiary of AccorHotels, exposed over 1TB of data on its clients, customers and partners.
On November 7, vpnMentor researchers Noam Rotem and Ran Locar, discovered that the database was unsecured and on an unencrypted server.
After discovering the breach, the researchers attempted to contact AccorHotels and their data privacy office to notify them of the breach – however, after no response, the team reached out to Gekko Group directly and their GDPR officer.
Still receiving no replies, the research team resulted in contacting the Commission Nationale de I’Informatique et des Libertés (CNIL) – France’s independent regulatory body for data security and privacy.
Nearly a week later, the team received a response from AccorHotels, and shortly after the database was closed.
The researchers wrote: “While the data belonged to AccorHotels – via their ownership of Gekko Group – it originated from many different businesses within Gekko Group. The bulk of the data came from two sources: Teldar Travel & Infinite Hotels.”
The exposed data included; hotel and transport reservations; credit card details; personally identifiable information (PII) of various parties; login credentials for client accounts on Gekko Group-owned platforms and more.
The unsecured database also contained data originating from platforms outside of the Gekko Group umbrella, subsequently exposing hotels, travel agencies and their customers around the world, “many of whom had no direct relationship with Gekko Group or its brands.”
The majority of the data viewed by the researchers came from Teldar Travel and Infinite Hotel, two Gekko Group-owned platforms. Whenever a travel agent utilised the platform to make a reservation – the data was logged into the Gekko Group’s database.
The data exposed in these reservations included; full names; email addresses; home addresses, PII of children, destination hotels, travel dates, reservation information, price of stays and data from external reservation platforms (e.g. Booking.com and Hotelbeds.com).
In addition to exposed PII data, many entries contained invoices exposing financial details of travel agents and their customers.
The researchers also viewed thousands of plain text passwords for accounts on Gekko Group-owned platforms.
“With these, hackers could enter accounts and charge purchases to virtual credit cards stored within, maxing them out before AccorHotels or Gekko Group can charge clients for reservations, and similar bookings made. This could lead to serious losses for the company,” said vpnMentor.
“The contents of the database could also help hackers and cybercriminals target the same companies in other ways. Using the information and accesses exposed, they could create effective phishing campaigns, or target companies with various forms of malicious software attacks: malware, spyware, ransomware, and more.”
Gekko Group clients are urged to change any passwords and usernames for a platform owned by Gekko – ensuring no future unauthorised access by threat actors.
The post #Privacy: French hotel giant leaks database containing over 1TB of data appeared first on PrivSec Report.