Online Hotel Booking Service Allegedly Exposed Sensitive Data
Discounts online have made their way into our everyday lives and we have all searched for cheap hotels, flights, or rental cars. One can find just about any niche discount service with a few keywords, clicks, and your favorite search engine. Although there are many companies that offer discount deals and broker savings between companies and customers, very little is known about exactly how these companies negotiate for the customers?
Kromtech Security Researchers have discovered a database that appeared to be associated with the automated online group hotel room booking service Groupize.
Publicly accessible bucket was hosted under 'prm-production' domain on AWS. No logins or passwords were required to access the data.
The Boston based company serves as a broker between the hotel and guests or businesses that need multiple rooms at the same time. The database contained many hotel documents including service agreements, earnings and details about their commissions. Researchers were able to see exactly how the discount hotel business model works in detail. Despite the discovery Groupize denied that any sensitive information was exposed.
There was evidence that appeared to connect the data with Groupize (even the name of the bucket referred to their Pipeline Response Manager system - http://www.groupizeprm.com/),so the first breach notification was sent on August 9th. The following day I reached their corporate office by phone for comment and was told that “They do use Amazon, but nothing sensitive was there”. The employee would not transfer the call to the IT Administrator or any senior management, and offered to only take a message. Ironically, the data was secured shortly after with no comment or replies, on Aug 15th.
This could imply that the data discovered was in fact associated with Groupize.
Here is what researchers were able to see:
A folder named “Documents” contained 2,936 scans or PDFs of contracts or agreements between hotels, customers and Groupize, including credit cards payment authorization forms, with full CC#, expiration date and CVV code.
A folder named "all_leads" contained 3,188 spreadsheets. In a single random sampling there was a total of $12.6 Million in just one spreadsheet.
Folders titled WhiteLabel / attachments contained 32,695 files in 37 folders ( these are menus, images and more)
How Does It Work?
Basically Groupize collects data from online of people looking for help with accommodations for large events and multiple bookings. Once they have an interested client they can negotiate with the hotel or venue to get a discounted rate, affiliate fee or compensation in a specific area. They charge the clients on the frontend for their services and then the hotel also pays them a percentage. Included the many documents discovered were contracts of service between Groupize and their business customers who used their services for weddings, funerals, and a host of other events. Some of these contain сredit сard numbers and other sensitive information that could be used by cyber criminals for theft or fraud. It is unclear how long the data was publically available or who other that security researchers might have accessed the files.
It is always interesting to see behind the doors of how a company or an industry works or operates, but the dangers of criminals obtaining this information can put the entire business at risk. Even if the data is not protected trade secrets or revolutionary new technology, it can harm your customers, and your business if the data is compromised by the wrong individuals.
This is another wakeup call for businesses to protect their own data and the data of their customers. Technology makes it easier than ever before to collect and manage data, but without the proper security measures it is an accident waiting to happen.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org