Huge data breach AccorHotels
 

When it comes to travel, most people are concerned with planning their trip, getting the best price and making sure they've packed everything. Now they also need to worry about whether their reservation companies have properly secured their data: Security researchers found that one of Europe's largest hotel booking companies left more than a terabyte of sensitive data exposed on a public server.

The exposed database contained travelers' information like names, home addresses, lodging, children's personal information, credit card numbers and thousands of passwords stored in plaintext, the security researchers said Wednesday. The database stores information on 140,000 clients, each of which could be an individual, a group of travelers or an organization.

The database belongs to Gekko Group, a subsidiary of France-based AccorHotels, Europe's largest hospitality company. Gekko Group handles business travel and luxury travel with more than 600,000 hotels across the world, according to its website. AccorHotels referred to Gekko Group for comment.

Fabrice Perdoncini, Gekko Group's CEO, said that the company has secured the database and is launching an internal investigation on its IT systems.

"Ensuring the adequate protection of our clients' data is of utmost importance to Gekko Group, a B2B company," Perdoncini said in a statement. "We acknowledge the seriousness of this matter and confirm that no malicious use or misuse of data has been reported so far."

The company said that it was informing its affected clients and that less than 1,000 unencrypted credit card numbers were stored on the database. But more credit card numbers could have been seen in document scans stored on the server.

The pile of leaked passwords contained the credentials for the World Health Organization, and a potential hacker could have used those credentials to book travel using the group's budget, the security researchers said. The WHO didn't respond to a request for comment.

The discovery came via independent security researchers Noam Rotem and Ran Locar, who worked with Israeli security company VPNMentor to find the exposed database. "It's unfortunately not the first time we see a data breach of this scale with that type of sensitive information. It's sadly a much more common issue than one would think," Rotem said in a statement.

Rotem and Locar said they reported the exposed database to Gekko Group and AccorHotels on Nov. 7 and got a response on Nov. 13. The company told the researchers that it's since secured the server, according to Rotem and Locar.

Even if you've never interacted with those two companies, data from their partners was also exposed, the researchers said. The database had a significant amount of data from websites like Booking.com and Hotelbeds.com open to the public, including personal information and credit card numbers, researchers said.

The server was hosted in France, but the affected travelers came from several countries including Spain, the United Kingdom, the Netherlands, Portugal, France, Belgium, Italy and Israel, researchers said.

"For two companies of their respective sizes and market shares, Gekko Group and AccorHotels would be expected to have more robust data security," VPNMentor said. "By exposing such a huge amount of sensitive data, they will likely face questions over how this happened, and their wider data security policies for all brands they own."

Source:

https://www.cnet.com/news/exposed-da...to-the-public/

Wow - Just wow.

This isnt even surprising - even on a matter like this, Accor took a week to respond.

Maybe they should have reached out to Accor on Twitter or Facebook to report the breach.

Accor is such a well-run organization, with top notch IT systems, responsive service teams, and some of the brightest professionals in the business, it's surprising they would be capable of such gross negligence and then follow it up with a stunningly slow response to the problem... Said nobody. Ever.

I think Accor HQ is where people who are otherwise unemployable go to work, because they know they will fit right in.

Let's keep the discussion somewhat reasonable. I'm not sure such sweeping generalisations are helpful. @:-)

On the question of the data breach Accor (or to be precise one of their subsidiaries) is just one of the latest travel companies being caught out by their lax handling of sensitive data. I've been through this with Hilton and Starwood. Hilton in particular was a nightmare for me. What they all have in common is the slow response in alerting customers and regulators.

I would hope Accor would come here (and directly to members) and clarify how this data breach affects customers (or not).

GDPR regulations were done for multiple reasons, one was to decrease the response time to alert regulators. I have not received any email from Accor my data were or could have been leaked, so finger crossed.

Is any regular user of this forum surprised by this? Seriously, we have been complaining about Accor's IT for years, while they mess about asking if we would like to be able to place orders in the restaurant in the taxi from the hotel. Bunch of jokers.

CT

first
it should be normal to inform all your clients direct !!
7nov no action
13 nov no action
21 nov no action
responsible ????????
greetings
cornelis

The thing is that even the regular procedures of handling client data by Accor should be treated as extreme possible breach alert every day. Anything you ever shared with Accor is at the fingertips of tens of thousands of agents on a daily basis, with minimal data access tracking and maximum printability and copiability. If you ever book a night at an Accor property, everybody and their grandma with access to the front desk and back office will see your data, including credit card details, printed multiple times and laying around.

Do not get overly worked up, maintain separate cards and bank accounts for use with Accor and a credit rating low enough that the joke is on any potential fraudster. And be nice to all those poorly compensated customer service agents across the Accor world who can make your life miserable at whim, while venting off your displeasure here :D

PS. To be fair, I am not really sure if any other chain is better at that, after all the recent mergers their IT may be less buggy, but is probably running in a similarly laissez-faire mode.

Seems like all major chain manage to get this data breach.

hello JTCz
you generalize a bit to much
its possible at every bussines that there are good /bad people
every company got IT problems sooner or later
what is important do i learn
do i chance and do iinform my clients direct and give compensation for damage
greetings
cornelis

Dear Members,

We understand your concern regarding the security incident announced in the press on last Thursday, involving Teldar & H-Corpo, two companies directly owned by Gekko Holding,


To be crystal clear with you, on November 13th, Teldar & H-Corpo were informed of a security incident involving one of their servers that store log files.
At this stage of the investigations there is no indication that this vulnerability has been exploited for fraudulent or malicious purposes.
The security flaw was immediately corrected on November 13th. Two vulnerability detection tools have since been integrated into the security processes across Gekko’s IT systems to ensure that an incident of this nature will not occur in the future.
Gekko Group is a B2B company and is a subsidiary of the Accor Group. Accor and Gekko Group databases and IT systems are entirely independent.
Gekko’s affected clients have been informed and specific assistance has put in place to support them in communicating with their clients and carrying out their legal obligations.
The French National Commission on Informatics & Liberty (CNIL) has been notified of the incident and all other necessary legal actions have been undertaken.

So, if you have not been approached you might consider that you are not part of the potential victims.
We sincerely apologize for the inconvenience caused. Feel free to contact our customer care for any questions or concerns you may have.

Best regards,

Amy

Thanks, Everybody! I have changed my Accor password just in case!

Thanks Amy for clarifying the situation.

amy thanks
greetings
cornelis