Pierluigi Paganini November 22, 2019

Security experts from vpnMentor discovered that Gekko Group, an AccorHotels subsidiary, exposes hotels and travelers in a massive data leak.

Gekko Group is a leading European B2B hotel booking platform that also owns smaller hospitality brands, including Teldar Travel & Infinite Hotel. The AccorHotels subsidiary has a combined customer base of 600,000 hotels worldwide.

vpnMentor discovered a database exposed online that contained over 1 terabyte of data from Gekko Group brands and their clients. The archive also includes data belonging to external websites and platforms that Gekko Group system communicate with, including Booking.com.

“Hosted in France on servers belonging to OVH SA, the compromised database was huge, containing approximately 1TB of data.” reads the report published by vpnMentor.

“While the data belonged to AccorHotels – via their ownership of Gekko Group – it originated from many different businesses within Gekko Group. The bulk of the data came from two sources: Teldar Travel & Infinite Hotels.”

Data included in the database included:

• Hotel and transport reservations (Full names, Email addresses, Home addresses, PII of children, Travel dates, Destination hotels, Reservation details (no. of guests, room types, etc.), Price of stays, Data from external reservations platforms (ie. Booking.com))
• Credit card details
• Personally Identifiable Information (PII) of various parties
• Login credentials for client accounts Gekko Group-owned platforms and from platforms outside of the company umbrella.

The archive included data in numerous languages originating from multiple countries, mostly in Europe (Spain, The United Kingdom, The Netherlands, Portugal, France, Belgium, Italy, Israel).

Most of the records were originated from two companies owned by AccorHotels subsidiary, Teldar Travel and Infinite Hotel.

The database also contained many invoices exposing financial details of travel agents and their customers, and thousands of plain text passwords linked to accounts on Gekko Group-owned platforms. 

An attacker using the passwords could have had access to the account to carry out certain actions, including booking on the account credit, canceling existing bookings, accessing invoices, many more possibilities.

vpnMentor attempted to contact the Gekko Group and the AccorHotels without success, then it reported its findings to their hosting providers and the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s independent regulatory body for data security and privacy.

On November 13th, after a week of attempts of contacts, the researchers received a response from AccorHotels. The company secured the database almost immediately they received the info about the archive. Below the timeline of the incident:

• Date discovered: 7/11
• Date vendors contacted: 7/11
• Date of 2nd contact attempt (if relevant): 10/11
• Date of Response: 13/11
• Date of Action:13/11

Pierluigi Paganini

(SecurityAffairs – AccorHotels subsidiary, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]