Prestige Software S3 LeakJohn LeMay
In the most recent incident of customer data being mishandled, a cloud based travel services provider has accidentally left unprotected the information of numerous travelers who purchased reservations on several popular travel booking sites.
Earlier this month it was discovered that the personal information of an unspecified number of individuals was left exposed online due to an error in the configuration of a cloud storage service. As first reported by Website Planet, Prestige Software, a Spanish company operating in the online reservation and hospitality business, failed to protect the data it collected on behalf of several popular online booking sites. Prestige Software technicians incorrectly configured the public cloud based storage where the data was located and this error went undetected for an unspecified period of time. This oversight resulted in approximately 10,000,000 records being exposed to the internet. Information contained in these exposed records included the names, addresses, telephone numbers, and credit card information — including card numbers, expiration dates, and security codes — belonging to customers of various online travel booking sites.
Prestige Software develops and sells a cloud based hotel reservation platform to travel booking sites such as Hotels.com, Booking.com, and Expedia. As customers of these and other websites booked travel reservations, their collected data was stored by Prestige Software in the Amazon Web Services (AWS) public cloud. Prestige Software engineers failed to properly configure the AWS storage, referred to as a “bucket” in AWS terminology, leaving all customer data stored there exposed to the internet for an unknown period of time. Records that were exposed dated back to as early as 2013. Website Planet indicated that data in the bucket was continuing to updated during their discovery and monitoring process indicating the storage was still being actively used by Prestige to store customer data.
Unfortunately, determining the number of people potentially impacted by this leak is difficult. Each of the exposed records is tied in some way to a reservation, either containing personal data or one or more travelers or containing logging information regarding a website transaction. Website Planet was able to determine through their analysis that credit card data — including numbers, expiration dates, security codes, and card holders name — was stored for “100,000s of people”.
This latest security incident involving cloud based applications and services is another opportunity to review how a failure occurred and how it could have been avoided. In this case the most obvious questions to ask are regarding the customer credit card data. Why did Prestige Software choose to store this information? Ideally credit card data is held only for as long as it takes to complete a transaction. It should then be disposed of and not stored, at least not in its original format. In the case of recurring charges, credit card companies have mechanisms to allow this without the vendor storing the original card data.
Besides credit card data, the leaked information also contained other personally identifiable information including names, phone numbers, and addresses. All of this information appears to have been stored unencrypted, in plain text, perfectly readable by anyone who should happen across it. This information alone can be very damaging should it fall into the hands of the various “bad actors” who are constantly searching for precisely this type of information. This information can be used or sold for the purposes of identity theft, targeted phishing (spear phishing) campaigns, or other nefarious activity.
Why did Prestige Software choose to store this data in Amazon’s public cloud in a readable form instead of encrypting the data? We don’t know, and it’s difficult to guess. One likely possibility however is that there was no decision to intentionally store the data in this form and that it was simply an overlooked detail, similar to the configuration setting on the S3 storage bucket that resulted in the data being exposed to the internet in the first place. These are details that project leaders and technology teams should be paying attention to when engineering and deploying a new solution. They are the details that the software developers, testers, infrastructure teams, security teams, and IT auditors should be paying attention to prior to deployment and again during regular review cycles. There were numerous opportunities for these errors or oversights to be caught, but no one identified the issues and they were never addressed.
The full impact of this security incident to Prestige Software will at best be difficult to fully gauge. Business partners of Prestige Software trusted that personal and financial data was being handled and protected properly. Clearly this was not the case. The people who actually could be directly impacted by this leak – that is the customers of Prestige’s partners – now have reason to distrust many of the various online reservation platforms used for bookings. Due to Prestige’s missteps, these reservation websites may lose the business of at least some of their customers.
Prestige Software will also likely be scrutinized for their failure to adhere to various regulations they are required to abide by. The most obvious to those of us in the US is PCI compliance for their mishandling of customer credit card data. However, as a company based in a EU country, Prestige must also adhere to EU data privacy requirements, specifically the GDPR. Prestige is facing the potential for significant fines for their failures on both fronts and may face revocation of their credit card processing privileges. The erosion of trust coupled with the potential for heavy fines and inability to handle credit card transactions is a very difficult situation for a company focused on the retail travel and hospitality sector.
What about the impact to the unknown number of people whose data was left exposed for an unknown period of time? The most attentive individuals have heard about this incident and will undertake precautionary measures such as resetting passwords, requesting replacement credit cards, and other steps to help avoid any misuse of the data that was stored on Prestige’s systems. Other people however may never hear about this story. They may or may not be notified by the reservation system they used to originally book their travel regarding their personal data being exposed and potentially harvested at some point in the past. It’s also a possibility that some of this data was already harvested at some point and has already been sold or used for some illicit purpose.
The long term impact of this error to Prestige Software and their partners will likely depend on how all of the companies involved respond. Transparency from the perspective of admitting that the exposure occurred is an important first step, one which Prestige Software has already done. Each company whose customer data may have been exposed also bears the responsibility of developing a plan to identify those customers and communicate to them the extent of the exposure. Effective handling of customer identification and communication requires that proper logging had been taking place during the time period when the data was exposed and that the log data was retained and can be reviewed. Without proper logging it will be difficult if not impossible to identify who may have been impacted. In the past, following a data breach, many companies are forced to extend credit monitoring services to those impacted for some period of time. It is likely this type of offering is warranted in this case as well considering that credit card data was exposed.
The costs associated with remediating this issue from a customer and compliance perspective will certainly far exceed the cost to remediate the error made in the system that caused the data to be exposed. This is typically the case when a business experiences a breach or identifies that private data has been exposed publicly. It is far better to prevent issues such as these than it is to remediate them later.
We cannot prevent errors from being made. However, there are numerous methods to assist in minimizing their frequency and their impact. Business and technology leaders must work together to ensure that proper precautions are taken to ensure the integrity of each new innovation or solution prior to deployment as well as throughout the lifecycle of any system. It’s important to remember that no solution is ever truly complete. Ongoing reviews, monitoring, and auditing of systems and applications already deployed can help ensure that existing systems continue to be protected even as new threats emerge.