Hundreds of hotels around the world have been breached as a result of a hack on booking website FastBooking.
According to an email sent by the company to affected properties, the breach took place on June 14, was detected five days later, and remedied within three hours of discovery. It says that an attacker exploited a vulnerability in a Web application hosted on its server to install malware, which was used to steal personal and payment information from guests at hundreds of hotels.
The notice sent out by the company can be read here.
FastBooking is also providing templates to affected hotels which can be used to notify former guests of the breach, as well as separate templates to notify national data protection agencies.
The company has not said how many guests or hotels were affected, but according to its website, it handles reservations for around 4,000 hotels in 40 countries.
“All of our markets have been affected but this represents a minority of our customers,” a spokeswoman for the company told Japan Times. She didn’t say how many hotels were affected, but did say that data from Japan made up a large portion of the compromised information.
The Japanese data accounts for around 320,000 items from 380 hotels. Of these, the spokeswoman said that personal data was exposed in 58,003 cases, and payment information in an additional 66,960 cases.
FastBooking did not clarify which hotels were affected, though some have notified guests themselves. Prince Hotel, Fujita Kanko (which operates the Washington Hotel chain), Hotel Monterey, Hankyu Hanshin Hotels and Royal Holdings all warned customers that their data may have been compromised.
Prince Hotel said that due to the breach at FastBooking, a server for its English, Chinese and Korean language websites had been hacked twice earlier this month, resulting in the loss of 124,963 items of information including names, credit card numbers and addresses.
It revealed that personal information of customers who had booked rooms between May and June 2017 had been breached, and that credit card numbers were stolen from customers who had made reservations before August 2017.
Prince Hotel president Masahiko Koyama apologised for the breach and the chain will suspend its websites until it can ensure their security.
Though full details of the breach are not yet known, the incident emphasises the importance of third party (in)security, which has been implicated in several major hacks recently. Less recently, the impact of breaches at third party providers has hit the hospitality sector hard, with the hack on Sabre Hospitality Solutions in particular causing chaos.
As organisations – even in industries with less of a reputation for maturity in the area – invest more heavily in cybersecurity, they need to ensure they can count on their third party providers. Individual organisations with sizeable amounts of sensitive data are becoming increasingly aware of their responsibilities and the need to strengthen their defences. If so, third party providers may become an increasingly tempting target for hackers, offering back doors into multiple highly lucrative organisations.
