Incident Of The Week: Data Privacy Rules Not Helping Security Researchers Inform Affected Enterprises
AccorHotels Subsidiary Exposes 1TB Of Data Including Payment Cards And PII
The challenge with vetting third-parties that you want to conduct business with is that you will often find they have their own circle of trusted partners. In the end, you must qualify third-parties and now fourth-parties to fully understand how far your security posture can extend. On the other hand, if your databases are open and accessible from the internet, it does matter how much scrutiny you place on potential partners.
The security research team of Noam Rotem and Ran Locar at vpnMentor recently discovered a data breach belonging to AccorHotels subsidiary Gekko Group.
France-based Gekko Group provides a hotel booking platform for other hoteliers across Europe in addition to operating some of its own hospitality brands such as Infinite Hotel and Teldar Travel. In total, Gekko Group claims a combined customer base of 600,000 hotels worldwide. The hospitality data distributor and hotel inventory firm was purchased by AccorHotels in 2017.
Database Demonstrates Interconnected Nature Of Internet Servers
The database discovery included more than 1 terabyte of data. Contents that the research team reviewed encompassed the Gekko Group brands, its clients, and external websites and partners that utilize the company’s platform and services. Details found within the Elasticsearch database consisted of travel reservations, PII including credit card numbers and Gekko client login credentials. International booking platform partners Booking.com and Hotelbeds.com, along with select French, Polish and Spanish travel agencies, also had data exposed due to the system interactions with Gekko Group platforms.
The goal for the researchers was to make the discovery known to the database owner so the vulnerability could be closed. While there are no known exploits of the data found, the risk exists that attackers are performing similar internet searches for these same server misconfigurations. Account takeover (ATO), payment card fraud and identity theft are all possibilities if the data was exfiltrated.
Data Privacy Legislation Creating Demand For Executive Role
With GDPR enforcement across EC member countries in its second year, enterprises have not only implemented and deployed the frameworks necessary to conform to rules, but many have also carved out a dedicated data privacy team to oversee companies’ practices. The Data Privacy Officer or Chief Privacy Officer (CPO) governs the company’s strategy and adherence to current and emerging legislation. The role also fields inquiries and responds to notifications from customers, security researchers and regulators.
Many of the current attempts by security researchers to inform businesses of a data breach are struggling to get the message across. Whether the alerts are not being taken seriously, the data privacy contact email box is checked infrequently or the response process is ill-defined, responding to inquiries from researchers is likely to be a happier conversation than hearing about a breach from the regulator.
Next Steps: Ensuring Your Database Is Secured
Basic security measures must be taken to protect company and employee data. Rotem and Locar recommend the following three steps regardless of your organization’s size or security program maturity:
- Secure your servers
- Implement proper access controls to restrict who can interact with data
- Remove the open internet access for systems that do not require authentication
See Related: Patching And The Basics