A wide range of sensitive information of millions of hotel guests has been discovered sitting on an unsecured server and accessible for anyone to view. The data was stored on a misconfigured Amazon Web Services (AWS) S3 bucket belonging to Prestige Software, a Spain-based company that sells hotel reservation management software.

The leak, reported by Website Planet, originated from the Spanish company’s Cloud Hospitality channel management software, which is used by hotels to automate the status of their vacancies on various booking websites. Since the platform is used to connect with the reservation websites, some of the data came from popular online travel agencies, such as Expedia, Booking.com, and Agoda, although they cannot be faulted for the data exposure.

RELATED READING: Five tips for keeping your database secure

The data comprised over 10 million log files, including some that go as far back as 2013, and consisted of a range of Personally Identifiable Information (PII), such as guests’ full names, national ID numbers, email addresses, phone numbers, as well as details such as the reservation number, dates, number of guests and their names and the price paid. Moreover, the leaky AWS S3 bucket also contained valuable financial data, notably credit card numbers, credit card verification codes (CVV) and expiration dates, along with the cardholders' names.

Website Planet also confirmed the veracity of the data by checking that a sample of the leaked email addresses belonged to real people. While currently there is no evidence of any threat actors gaining access to the data, researchers can’t guarantee that the data wasn’t accessed before they discovered the misconfigured server. The researchers also contacted AWS and the bucket has since been secured.

The amount and variety of the records exposed would give hackers plenty of material for all manner of malicious activity. The hotel guests could fall victim to identity theftphishing and other social engineering attacks, and even financial fraud, due to the leaked credit card data. However, black hats don’t have to abuse the data themselves; instead, they could sell it off on the dark web in bulk.

RELATED READING: Details of 142 million MGM hotel guests selling for US$2,900

Businesses that run afoul of data protection laws, notably the European Union’s General Data Protection Regulation (GDPR), may face serious consequences for privacy and security lapses.