Data Breach GDPR

Hotel management platform Otelier leaks data of Marriott, Hilton, and Hyatt guests

Otelier, a platform used by hotel chains worldwide for managing reservations, transactions, and billing, has fallen victim to a data breach that exposed the personal information of hundreds of thousands of guests. The affected individuals include patrons of major hotel chains like Marriott, Hilton, and Hyatt, according to Troy Hunt of the data breach search engine Have I Been Pwned.

The attacker alleges they stole nearly eight terabytes of data from Otelier’s Amazon S3 buckets. The breach reportedly began when an Otelier employee’s system was infected with infostealer malware. This type of malware collects login credentials from compromised systems. Using the stolen credentials, the attacker accessed Otelier’s “Atlassian server,” as reported by Bleeping Computer.

The reference to an “Atlassian server” likely points to Atlassian’s Jira software, a popular tool for tracking bugs, issues, and project tasks. The attacker claims to have discovered credentials for the S3 buckets stored within Jira tickets. This access enabled them to exfiltrate terabytes of sensitive data. While Otelier has confirmed the breach, the company has not yet disclosed the total number of affected individuals.

Troy Hunt received a dataset containing some of the stolen information, which included 437,000 email addresses, along with partial credit card details, phone numbers, addresses, purchases, and travel plans. These email addresses have since been added to Have I Been Pwned. Interestingly, 80% of the compromised email addresses were already present in the database from prior breaches.

Otelier, which claims to serve more than 10,000 hotels worldwide, now faces significant challenges as it works to address the fallout from this breach.

Read the Bleeping Computer article for more information.