Exposed database left terabyte of travelers' data open to the public

Exclusive: The database has information on hundreds of thousands of travelers, including credit card numbers, names and addresses.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

One of the largest travel booking companies in Europe left its data exposed on an unprotected server, researchers say.

Kiattisak Lamchan / EyeEm

When it comes to travel, most people are concerned with planning their trip, getting the best price and making sure they've packed everything. Now they also need to worry about whether their reservation companies have properly secured their data: Security researchers found that one of Europe's largest hotel booking companies left more than a terabyte of sensitive data exposed on a public server.

The exposed database contained travelers' information like names, home addresses, lodging, children's personal information, credit card numbers and thousands of passwords stored in plaintext, the security researchers said Wednesday. The database stores information on 140,000 clients, each of which could be an individual, a group of travelers or an organization.

The database belongs to Gekko Group, a subsidiary of France-based AccorHotels, Europe's largest hospitality company. Gekko Group handles business travel and luxury travel with more than 600,000 hotels across the world, according to its website. AccorHotels referred to Gekko Group for comment. 

Fabrice Perdoncini, Gekko Group's CEO, said that the company has secured the database and is launching an internal investigation on its IT systems.

"Ensuring the adequate protection of our clients' data is of utmost importance to Gekko Group, a B2B company," Perdoncini said in a statement. "We acknowledge the seriousness of this matter and confirm that no malicious use or misuse of data has been reported so far."  

The company said that it was informing its affected clients and that less than 1,000 unencrypted credit card numbers were stored on the database. But more credit card numbers could have been seen in document scans stored on the server.

Watch this: What to do if your personal information is part of a data breach

The pile of leaked passwords contained the credentials for the World Health Organization, and a potential hacker could have used those credentials to book travel using the group's budget, the security researchers said. The WHO didn't respond to a request for comment. 

The discovery came via independent security researchers Noam Rotem and Ran Locar, who worked with Israeli security company VPNMentor to find the exposed database. "It's unfortunately not the first time we see a data breach of this scale with that type of sensitive information. It's sadly a much more common issue than one would think," Rotem said in a statement.

The researchers found the database, which is hosted on Elasticsearch, through an online scan, while looking for servers that lacked proper protections.

"This breach represents a serious lapse in data security by Gekko Group and its subsidiaries, compromising the privacy of their customers, clients, AccorHotels, and the businesses themselves," VPNMentor said in a blog post Wednesday.

As more companies move to store their data on cloud servers, they're driving cybersecurity concerns about properly protecting sensitive data. Security researchers have found volumes of sensitive data exposed online in unsecured databases as they look to warn companies to protect that data before a malicious hacker finds it. 

In the past year, researchers found exposed databases showing debt from millions of people, along with open servers hosting millions of Facebook records. While security researchers found those first, hackers have also taken advantage of open servers. In July, a hacker allegedly stole the credit card applications of more than 100 million US citizens from Capital One's Amazon Web Services cloud server.

Rotem and Locar said they reported the exposed database to Gekko Group and AccorHotels on Nov. 7 and got a  response on Nov. 13. The company told the researchers that it's since secured the server, according to Rotem and Locar.

Even if you've never interacted with those two companies, data from their partners was also exposed, the researchers said. The database had a significant amount of data from websites like Booking.com and Hotelbeds.com open to the public, including personal information and credit card numbers, researchers said. 

Booking.com and Hotelbeds.com didn't respond to a request for comment.

VPNMentor's researchers also saw travel itineraries left on the open server, like tickets to Euro Disney and travel plans between hotels and airports with personal information.

The server was hosted in France, but the affected travelers came from several countries including Spain, the United Kingdom, the Netherlands, Portugal, France, Belgium, Italy and Israel, researchers said.  

"For two companies of their respective sizes and market shares, Gekko Group and AccorHotels would be expected to have more robust data security," VPNMentor said. "By exposing such a huge amount of sensitive data, they will likely face questions over how this happened, and their wider data security policies for all brands they own."