The personal information of almost half a million people is now in the hands of hackers after a security breach of a company used by some of the world’s best known hotel brands.
Hotel management software provider Otelier boasts that more than 10,000 hotels – including brands like Marriott, Hilton, and Hyatt – use its cloud-based solution to help them run their operations.
Otelier has now disclosed that hackers allegedly breached its systems from July until October 2024, with hackers stealing what they claim to be 7.8 terabytes worth of customer data from the company’s Amazon S3 buckets.
Troy Hunt’s “Have I Been Pwned” service claims that over 430,000 unique email addresses have been exposed in the breach – including guests’ names, physical addresses, phone numbers, purchase information, and partial credit card numbers.
Otelier, which was previous known as MyDigitalOffice, is used by hotels around the world to manage guest reservations, transactions, and invoicing.
According to a Bleeping Computer report, the hackers claim that they initially compromised the Otelier’s Atlassian server after using malware to steag login credentials belonging to an employee.
The hackers used the stolen credentials to scoop up data, which included the login information for Otelier’s S3 buckets.
The hackers claimed to Bleeping Computer that they had downloaded huge amounts of data, including millions of documents from S3 buckets managed by Otelier that belonged to the Marriott hotel chain.
For its part Marriott says that it has “taken appropriate measures, including suspending the automated services provided by Otelier until the completion of their investigation, and those services remain suspended.”
According to reports, the hackers initially believed (because of the nature of some of the data they found in the S3 buckets) that the compromised systems belonged to Marriott. The hackers are said to have made an unsuccessful attempt to extort money from the hotel giant by leaving ransom notes in the buckets, which were later wiped.
It is hard, however, to think of Marriott and the pther famous hotel brands, however, appear to be innocent parties. It was Otelier’s systems which were breached.
“Our top priority is to safeguard our customers while enhancing the security of our systems to prevent future issues. Otelier has been in communications with its customers whose information was potentially involved,” said an Otelier spokesperson. “In response to this incident, we hired a team of leading cybersecurity experts to perform a comprehensive forensic analysis and validate our systems. The investigation determined that the unauthorized access was terminated. In order to help prevent a similar incident from occurring in the future, Otelier disabled the involved accounts and continues to work to enhance its cybersecurity protocols.”
Security breaches like this underline the growing risk posed by the supply chain. It isn’t enough to know that your own business is doing a good job at protecting the data entrusted to it by its customers. You also need to consider how well the data is being secured by the third-parties and services you partner with to process sensitive information.
