Early this month, the Gekko Group, an AccorHotels subsidiary erroneously uploaded more than 1TB of confidential information on a publicly accessible cloud-based server. This error led to the exposure of tons of data owned by its partner hotels’ clients, travel agencies, and customers.

Most of the information leaked from the France-based hotel booking platform came from Teldar Travel, the company’s booking system for travel agents and Infinite Hotel, which is responsible for the hotel inventory that serves its business-to-business (B2B) clients. The data also included confidential information regarding external websites that the company regularly communicates with, such as hotelbeds.com, booking.com, and selectour.com.

In their blog, the vpnMentor researchers who found the leaked database gave the following details:

• On 7 November, the researchers stumbled upon the Elasticsearch database while conducting an Internet mapping project. They sought to find its owner and immediately informed it of their discovery. They even reached out to the organization’s General Data Protection Regulation (GDPR) officer and its parent company, AccorHotels. When they didn’t receive replies, they contacted the group’s hosting company and, eventually, the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s independent regulatory body for data security and privacy.
• By 13 November, AccorHotels responded to the researchers’ email, inquiring about the leak then proceeded to address the issue. It also thanked the researchers for informing them about the breach.

Note that the Gekko Group spokesperson clarified that the companies affected by the leak were Teldar and HCorpo and not Teldar and Infinite Hotel.

The majority of the exposed data included travel and accommodation booking details, personally identifiable information (PII), login credentials in plain text, and credit card details indicated in invoices. These gave out customers’ names; email and physical addresses; travel dates; hotel reservation details, including room classifications; the number of guests; and accommodation prices paid.

In some cases, the information also contained details on tour prices, theme park destinations, airport transfers, and train travel tickets. The invoices also included the credit card details of the travel agencies and their clients.

While the Gekko Group spokesperson claimed that there is no indication that the leaked data had ties to malicious activities, the incident can have dire implications for the company, its partners, and its clients. A data leak of this magnitude can give threat actors several chances to use the information to their advantage.

Our Investigation Tool: Threat Intelligence Platform

According to the researchers’ analysis, the data leak occurred because the company uploaded sensitive information to a cloud-based storage system that was publicly configured—likely a human error.

Misconfigurations like this one and others can leave a server open to remote access and control by anyone who stumbles upon it, calling for proactive measures when it comes to protecting data privacy.

Among other aspects, this defensive stance includes the use of threat intelligence software that can provide exhaustive information about open ports and services, which might be the product of human error as well. It can also check for misconfigurations in real-time, thus adding one more layer of protection for confidential information.

A quick check for the domain “teldartravel.com,” one of the previously-identified sites, revealed several configuration warnings in our report for the site (note that the results aren’t establishing a connection to the breach, this is an independent analysis for demonstration purposes):

The company should use the information to make sure that the redirects are legitimate; that they were not set by attackers hoping to point its customers and partners to malicious websites.

The company can also further strengthen its network’s security by enabling the Domain-Based Message Authentication, Reporting, and Conformance (DMARC) email validation system should SPF fail to detect spoofed emails.

* * *

While cloud computing allows organizations to access stored data from virtually anywhere in the world quickly, they must realize that convenience sometimes comes with consequences. Small errors like a misconfiguration can have a massive impact, such as making private databases publicly accessible as in the Gekko Group’s case. That said, companies must ensure their systems’ and servers’ settings are always up to par. They can use threat intelligence software to perform regular checks on their network to avoid nasty repercussions.