Hotel reservation platform Prestige Software reveals hundreds of thousands of guest data

[German]Prestige Software, an international B2B hotel reservation platform whose clients include Expedia and, has disclosed the data of hundreds of thousands of guests of its affiliated hotel chains in a privacy incident. I


Madrid and Barcelona-based Prestige Software sells hotels a channel management platform called Cloud Hospitality. This software automates the provision of free hotel rooms on online booking websites like Expedia and The company stored credit card data of hotel guests and travel agents for years without any protection, exposing millions of people to the risk of fraud and online attacks.

Incorrectly configured Amazon AWS S3 Bucket

A WebsitePlanet security team found a misconfigured Amazon AWS S3 Bucket belonging to Prestige Software, an international B2B hotel reservation platform. The Se Bucket contained customer data from booking platforms from Expedia and etc. Through the unprotected AWS S3 Bucket, the data of hundreds of thousands of international hotel guests was disclosed, including PIIs (full name, national ID numbers, phone numbers, etc.), unchecked credit card information and reservation details.

In a Blog post, the security researchers disclose the details. In the open S3 bucket, the following private data of hotel guests was found:

  • PII data: Full names, e-mail addresses, national ID numbers and phone numbers of hotel guests
  • Credit card details: card number, cardholder name, CVV and expiration date
  • Payment details: Total cost of the hotel reservation
  • Reservation details: reservation number, dates of stay, the price paid per night, any additional requests from guests, number of persons, names of guests and much more.

Each of these records revealed sensitive and valuable Personal Information (PII) belonging to the persons who made the reservations. The following booking platforms are among those affected:

  • Agoda
  • Amadeus
  • Expedia
  • Hotelbeds
  • Omnibees
  • Sabre

This is only an excerpt of the customer list. The S3 bucket contained over 180,000 records from August 2020 alone, many of which related to hotel reservations made on numerous websites, even though global hotel bookings for that period were at an all-time low. In total, over 10 million individual log files dating back to 2013 are openly accessible.


However, it is difficult to say how many people are affected because the amount of data is very large. In addition, many of the data logs contained PII data for numerous people on a reserve (e.g. families). Finally, some of the data logs contained changes and deletions. For these reasons, the actual number of people exposed could be much higher than the number of reservations logged.

The S3 bucket is secured now, but was still open for use during the investigation, with new data sets being uploaded within a few hours after the investigation by the security researchers. Details can be found in the linked blog post. The whole thing is likely to become a case for the DSGVO and will affect many hotel guests. I assume that my data is also somewhere underneath, since I have not been able to avoid hotel bookings via such platforms as in the past years.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *