Cybernews researchers discovered an "unprotected Elasticsearch server"associated with a Kibana interface on the web. This server, accessible to anyone without any protection, contained personal data about millions of individuals who had traveled to European hotels.
A hotel chain at the origin of the leak
As revealed by Cybernews' investigation, the server contained "nearly 25 million data records" relating to hotel guests. It seems that the information belongs to a large hotel chain. Investigations point to the Honotel group, a major player in the hotel industry in France and Europe, which manages more than 50 hotels located in large cities.
Alerted by the researchers, Honotel has not communicated on the situation. However, access to the server was secured shortly after Cybernews was discovered. It is no longer possible to view the personal data of guests.
What sensitive data was exposed?
Among the personal data inadvertently exposed are names, email addresses, telephone numbers, dates of birth, country codes, languages spoken, information about visits to the hotel, details of stays (including arrival time, number of nights booked, price paid and number of guests), loyalty points accumulated, and property identifiers, i.e. the unique codes assigned to each hotel establishment. Through the Kibana interface, it was possible to view and explore the stored data, for example to search for a specific individual.
This is obviously a disaster in terms of privacy and confidentiality. In addition, this information can be exploited by cybercriminals. Using the exposed data, hackers can develop particularly convincing phishing attacks or orchestrate identity theft attempts.
At this time, there is no evidence that the exposed data has been accessed by cybercriminals. As the report points out, the GDPR (General Data Protection Regulation) requires companies to report all data leaks within 72 hours. In the event of a breach, the group would have therefore notified the authorities. Of course, it is still possible that the information was accessed without anyone noticing.
Source: Cybernews
0 Comments