Popular Reservation Platform Exposes Expedia, Hotels.com Guest Data

NOTICE: If you booked a reservation online using any of the listed entities between 2013 through 2020 and/or have received a NOTICE OF DATA BREACH regarding this incident, contact the Arnold Law Firm at (916) 777-7777.

hotel booking platform data breach On November 6, 2020, online technology company Website Planet reported a massive data breach involving popular international hotel reservation platform Cloud Hospitality, the main product of Prestige Software.

Cloud Hospitality is a channel management system that automates the booking process for the world’s biggest internet-based hotel reservation sites and ensures room availability is updated across all relevant sites. For example, if a room is booked on Expedia, the automated channel manager also shows that the room is no longer available on Booking.com and Hotels.com.

Prestige Software reportedly stored more than 24 GB of hotel guest and travel agent data dating back to 2013 on a misconfigured Amazon Web Services (AWS) server without any security protection in place – leaving personal information associated with over 10 million hotel reservations logs from numerous websites exposed to the public. However, the number of individuals affected may be much higher than 10 million, because many reservation logs include multiple guests.

Compromised confidential data includes:

  • Full names
  • Phone numbers
  • Personal requests, additional guest names
  • Credit card numbers with cardholder names, CVVs and expiration dates
  • Reservation details, such as cost of hotel reservations, prices paid and dates of stay
  • Email addresses
  • Reservation numbers
  • Methods of payment and billing information
  • National ID numbers, such as passport numbers and driver license numbers

“Every website and booking platform connected to Cloud Hospitality was probably affected,” according to Website Planet. Prestige Software claims to serve over 900 hospitality company clients, including known users:

  • Agoda
  • Amadeus
  • Booking.com
  • Expedia
  • Hotels.com
  • Hotelbeds
  • Omnibees
  • Sabre

Prestige Software has since secured the server, according to the report. However, it has not yet formally notified users of the security incident. It is not known how long the data was left open, or if the data was stolen by malicious actors during the breach. 

Based in Spain, Prestige Software is a prominent international technology and computer services company that is highly-rated and widely used in the hotel industry in over 26 countries. The company is subject to the General Data Protection Regulation and the Payment Card Industry Data Security Standard, known as PCI DSS. The Sacramento data breach lawyers at the Arnold Law Firm will continue to monitor this possible data breach and provide updated information as our investigation continues.

NOTICE: If you booked a reservation online using any of the listed entities between 2013 through 2020 and/or have received a NOTICE OF DATA BREACH regarding this incident, contact the Arnold Law Firm at (916) 777-7777 to discuss your situation and possible developing legal options.