Huge data breach AccorHotels

Old Nov 20, 19, 10:44 am
  #1  
Original Poster
 
Join Date: Feb 2013
Location: London
Programs: HertzPresCircle, Virgin Atlantic Gold,Hil-Diam, Europcar Elite Vip, Emirates Gold, MarriottTitanium.
Posts: 186
Huge data breach AccorHotels

When it comes to travel, most people are concerned with planning their trip, getting the best price and making sure they've packed everything. Now they also need to worry about whether their reservation companies have properly secured their data: Security researchers found that one of Europe's largest hotel booking companies left more than a terabyte of sensitive data exposed on a public server.

The exposed database contained travelers' information like names, home addresses, lodging, children's personal information, credit card numbers and thousands of passwords stored in plaintext, the security researchers said Wednesday. The database stores information on 140,000 clients, each of which could be an individual, a group of travelers or an organization.

The database belongs to Gekko Group, a subsidiary of France-based AccorHotels, Europe's largest hospitality company. Gekko Group handles business travel and luxury travel with more than 600,000 hotels across the world, according to its website. AccorHotels referred to Gekko Group for comment.

Fabrice Perdoncini, Gekko Group's CEO, said that the company has secured the database and is launching an internal investigation on its IT systems.

"Ensuring the adequate protection of our clients' data is of utmost importance to Gekko Group, a B2B company," Perdoncini said in a statement. "We acknowledge the seriousness of this matter and confirm that no malicious use or misuse of data has been reported so far."

The company said that it was informing its affected clients and that less than 1,000 unencrypted credit card numbers were stored on the database. But more credit card numbers could have been seen in document scans stored on the server.

The pile of leaked passwords contained the credentials for the World Health Organization, and a potential hacker could have used those credentials to book travel using the group's budget, the security researchers said. The WHO didn't respond to a request for comment.

The discovery came via independent security researchers Noam Rotem and Ran Locar, who worked with Israeli security company VPNMentor to find the exposed database. "It's unfortunately not the first time we see a data breach of this scale with that type of sensitive information. It's sadly a much more common issue than one would think," Rotem said in a statement.

Rotem and Locar said they reported the exposed database to Gekko Group and AccorHotels on Nov. 7 and got a response on Nov. 13. The company told the researchers that it's since secured the server, according to Rotem and Locar.

Even if you've never interacted with those two companies, data from their partners was also exposed, the researchers said. The database had a significant amount of data from websites like Booking.com and Hotelbeds.com open to the public, including personal information and credit card numbers, researchers said.

The server was hosted in France, but the affected travelers came from several countries including Spain, the United Kingdom, the Netherlands, Portugal, France, Belgium, Italy and Israel, researchers said.

"For two companies of their respective sizes and market shares, Gekko Group and AccorHotels would be expected to have more robust data security," VPNMentor said. "By exposing such a huge amount of sensitive data, they will likely face questions over how this happened, and their wider data security policies for all brands they own."

Source:

https://www.cnet.com/news/exposed-da...to-the-public/
starflyergold and Dav77 like this.
itisme is offline  
Old Nov 20, 19, 2:53 pm
  #2  
 
Join Date: Mar 2017
Location: Somewhere in Europe ( mostly )
Programs: Still ALL Plat, HH Gold
Posts: 564
Wow - Just wow.
hotel_user is offline  
Old Nov 20, 19, 5:20 pm
  #3  
 
Join Date: Oct 2016
Location: ADL
Programs: LeClub AccorHotels / Accor Plus (Platinum), Qantas Frequent Flyer, Virgin Velocity
Posts: 447
Originally Posted by itisme View Post

Rotem and Locar said they reported the exposed database to Gekko Group and AccorHotels on Nov. 7 and got a response on Nov. 13.
This isnt even surprising - even on a matter like this, Accor took a week to respond.
Maelstrom is offline  
Old Nov 20, 19, 6:51 pm
  #4  
 
Join Date: Jan 2011
Location: YYZ
Programs: TK*G, AC Aeroplan, Fairmont Platinum, Starwood Gold, Nexus/GE, Hertz #1 Gold
Posts: 1,774
Originally Posted by Maelstrom View Post
This isnt even surprising - even on a matter like this, Accor took a week to respond.
Maybe they should have reached out to Accor on Twitter or Facebook to report the breach.

Accor is such a well-run organization, with top notch IT systems, responsive service teams, and some of the brightest professionals in the business, it's surprising they would be capable of such gross negligence and then follow it up with a stunningly slow response to the problem... Said nobody. Ever.

I think Accor HQ is where people who are otherwise unemployable go to work, because they know they will fit right in.
Stratonaut, sycokid and R.O. like this.
CanadaDH is offline  
Old Nov 21, 19, 12:48 am
  #5  
Moderator, Turkish Airlines Miles&Smiles & Le Club Accorhotels
Accor 25+ Badge
 
Join Date: Apr 2009
Location: BRU
Programs: TK*G, Le Club Accorhotels Platinum
Posts: 6,691
Originally Posted by CanadaDH View Post

I think Accor HQ is where people who are otherwise unemployable go to work, because they know they will fit right in.
Let's keep the discussion somewhat reasonable. I'm not sure such sweeping generalisations are helpful. @:-)

On the question of the data breach Accor (or to be precise one of their subsidiaries) is just one of the latest travel companies being caught out by their lax handling of sensitive data. I've been through this with Hilton and Starwood. Hilton in particular was a nightmare for me. What they all have in common is the slow response in alerting customers and regulators.

I would hope Accor would come here (and directly to members) and clarify how this data breach affects customers (or not).
starflyergold is offline  
Old Nov 21, 19, 6:33 am
  #6  
Hilton 5+ BadgeAccor 10+ Badge
 
Join Date: Nov 2012
Location: Rhineland-Palatinate
Programs: OW Ruby (BA), *A Gold (A3), Le Club Accor Gold, HHonor Diamond
Posts: 2,585
GDPR regulations were done for multiple reasons, one was to decrease the response time to alert regulators. I have not received any email from Accor my data were or could have been leaked, so finger crossed.
fransknorge is offline  
Old Nov 21, 19, 7:02 am
  #7  
 
Join Date: Dec 2014
Programs: Flying Blue Gold, Accor Gold, Hilton Gold, Marriott Gold
Posts: 148
Is any regular user of this forum surprised by this? Seriously, we have been complaining about Accor's IT for years, while they mess about asking if we would like to be able to place orders in the restaurant in the taxi from the hotel. Bunch of jokers.

CT
Castleford Tiger is offline  
Old Nov 21, 19, 7:42 am
  #8  
 
Join Date: May 2018
Posts: 253
first
it should be normal to inform all your clients direct !!
7nov no action
13 nov no action
21 nov no action
responsible ????????
greetings
cornelis
sycokid likes this.
nkob is offline  
Old Nov 21, 19, 1:50 pm
  #9  
 
Join Date: Nov 2013
Programs: LeClubAccorhotels Platinum, M&M FTL
Posts: 448
The thing is that even the regular procedures of handling client data by Accor should be treated as extreme possible breach alert every day. Anything you ever shared with Accor is at the fingertips of tens of thousands of agents on a daily basis, with minimal data access tracking and maximum printability and copiability. If you ever book a night at an Accor property, everybody and their grandma with access to the front desk and back office will see your data, including credit card details, printed multiple times and laying around.

Do not get overly worked up, maintain separate cards and bank accounts for use with Accor and a credit rating low enough that the joke is on any potential fraudster. And be nice to all those poorly compensated customer service agents across the Accor world who can make your life miserable at whim, while venting off your displeasure here

PS. To be fair, I am not really sure if any other chain is better at that, after all the recent mergers their IT may be less buggy, but is probably running in a similarly laissez-faire mode.
JTCz is offline  
Old Nov 21, 19, 9:53 pm
  #10  
 
Join Date: Feb 2018
Programs: Bonvoy Amb , LCAH : Plt, Skywards : Gold
Posts: 1,671
Seems like all major chain manage to get this data breach.
kaizen7 is offline  
Old Nov 22, 19, 1:36 am
  #11  
 
Join Date: May 2018
Posts: 253
hello JTCz
you generalize a bit to much
its possible at every bussines that there are good /bad people
every company got IT problems sooner or later
what is important do i learn
do i chance and do iinform my clients direct and give compensation for damage
greetings
cornelis
nkob is offline  
Old Nov 22, 19, 10:40 am
  #12  
Company Representative, Accorhotels
 
Join Date: Mar 2011
Location: France
Programs: ALL - Accor Live Limitless
Posts: 748
Dear Members,

We understand your concern regarding the security incident announced in the press on last Thursday, involving Teldar & H-Corpo, two companies directly owned by Gekko Holding,


To be crystal clear with you, on November 13th, Teldar & H-Corpo were informed of a security incident involving one of their servers that store log files.
At this stage of the investigations there is no indication that this vulnerability has been exploited for fraudulent or malicious purposes.
The security flaw was immediately corrected on November 13th. Two vulnerability detection tools have since been integrated into the security processes across Gekko’s IT systems to ensure that an incident of this nature will not occur in the future.
Gekko Group is a B2B company and is a subsidiary of the Accor Group. Accor and Gekko Group databases and IT systems are entirely independent.
Gekko’s affected clients have been informed and specific assistance has put in place to support them in communicating with their clients and carrying out their legal obligations.
The French National Commission on Informatics & Liberty (CNIL) has been notified of the incident and all other necessary legal actions have been undertaken.

So, if you have not been approached you might consider that you are not part of the potential victims.
We sincerely apologize for the inconvenience caused. Feel free to contact our customer care for any questions or concerns you may have.

Best regards,

Amy
AccorHotels Concierge is online now  
Old Nov 23, 19, 3:18 pm
  #13  
 
Join Date: Dec 2000
Location: Charleston, SC, USA
Programs: Avis Chairman's, Hertz Au+ , IHG Au, Hyatt, Honors Au (Amex), Marriott Pt & Life Au, Accor Ag
Posts: 6,544
Thanks, Everybody! I have changed my Accor password just in case!
Brendan is offline  
Old Nov 25, 19, 12:08 am
  #14  
Moderator, Turkish Airlines Miles&Smiles & Le Club Accorhotels
Accor 25+ Badge
 
Join Date: Apr 2009
Location: BRU
Programs: TK*G, Le Club Accorhotels Platinum
Posts: 6,691
Originally Posted by AccorHotels Concierge View Post
Dear Members,

We understand your concern regarding the security incident announced in the press on last Thursday, involving Teldar & H-Corpo, two companies directly owned by Gekko Holding,
Thanks Amy for clarifying the situation.
starflyergold is offline  
Old Nov 26, 19, 1:21 am
  #15  
 
Join Date: May 2018
Posts: 253
amy thanks
greetings
cornelis
nkob is offline  

Thread Tools
Search this Thread
Search Engine: