European hotel booking platform provider Gekko Group mistakenly stored over 1 terabyte of information on a publicly configured server, exposing troves of data related to its hotel B2B clients, as well as travel agents and their customers.
The majority of the exposed data was collected by Gekko brands Teldar Travel, which provides a booking system for travel agents, and Infinite Hotel, a distribution specialist that provides an inventory of hotels to B2B clients. But other data was originally collected by Gekko's third-party partners and external reservations platforms, including Booking.com, Hotelbeds.com, Occius, Infra, Smile, Mondial Assistance and Selectour.com
Exposed data included hotel and transportation booking details, personally identifiable information, invoices with credit card details, and plain-text login credentials used by Gekko's clients. Booking info and PII typically consisted of names, email addresses, home addresses, dates of travel, destination hotels and reservation details such as number of guests, room types and price of stays. Outside of room bookings, the database also stored details on theme park and tour excursion tickets, airport transfers, and Eurostar train tickets. The credit card information found on the invoices pertained to a mix of both travel agents and their clients.
Researchers with vpnMentor found the Elasticsearch database while performing an internet mapping project, and ultimately traced the contents to Gekko and its parent accompany AccorHotels, which are both based in France. According to a company blog post, the vpnMentor team, led by Noam Rotem and Ran Locar, discovered the leak on Nov. 7 and twice reached out to Gekko and AccorHotels over the course of the week. By Nov. 13, AccorHotels reportedly had secured the server.
According to vpnMentor, the leaky server could have serious consequences if any malicious individuals accessed any of the data. Adversaries could use the exposed credentials to take over the accounts of Gekko's B2B clients, or leverage information on travelers to devise realistic email phishing schemes.
"This breach represents a serious lapse in data security by Gekko Group and its subsidiaries, compromising the privacy of their customers, clients, AccorHotels, and the businesses themselves," said the vpnMenton blog post. "For two companies of their respective sizes and market shares, Gekko Group and AccorHotels would be expected to have more robust data security. By exposing such a huge amount of sensitive data, they will likely face serious questions over how this happened, and their wider data security policies for all brands they own."
The advent of convenient cloud-based storage continues to pose a security challenge to companies that overlook server misconfigurations.
"Enterprise infrastructures are filled with tens of thousands of cloud resources that create opportunities for leakage. In this case, it's likely that an identity changed the privacy configurations for a legitimate reason for a single ElasticSearch server, exposing more than a terabyte of sensitive data," said Balaji Parimi, CEO of CloudKnox Security, in emailed comments. "Because companies struggle so badly with visibility into complex multi-cloud environments, finding these vulnerabilities can be like looking for a needle in a haystack. At this scale, a prevention-first approach is critical. It all starts with properly authorizing which identities… can carry out sensitive operations like making a resource public, and providing them with proper training."
"Cloud computing and storage has made it incredibly easy for organizations to store vast amounts of data and have it available across different geographies and devices," said Javvad Malik, security awareness advocate at KnowBe4. "However, with this convenience also comes the challenge that any minor misconfiguration can have massive implications, such as the making of a private database publicly accessible. In this incident though, there is a deeper issue. Not only was there a misconfiguration, but the database was holding credit card numbers and unencrypted passwords, which [flies] in the face of regulations and all good security practices. It illustrates that security isn't something that can be procured via a technology and forgotten about. Rather, good security needs to be embedded as a part of organizational culture so that across the business, everyone not only sees the value of security, but actively seeks to implement it and avoid malpractice such as storing excessive amounts of data in unsecured environments."
A spokesperson from Gekko responded to SC Media's request for comment, noting that "there is no indication" that the leaky server "has been exploited for fraudulent or malicious purposes."
"The security flaw was immediately corrected on November 13th. Two vulnerability detection tools have since been integrated into the security processes across Gekko’s IT systems to ensure that an incident of this nature will not occur in the future," the spokesperson's statement continued. "Gekko’s affected clients have been informed and specific assistance has put in place to support them in communicating with their clients and carrying out their legal obligations."
In a discrepancy from vpnMentor's reporting, the spokesperson also said the two Gekko companies affected by the server were Teldar and online reservations solution provider HCorpo, not Teldar and Infinite Hotel.