With cyberattacks (and breaches) on the rise, businesses must ensure information is properly secured. Cloud Hospitality, developed by Prestige Software, is the latest company to use improper configuration on their storage solution.
For a long time we have talked about ensuring proper configuration when using cloud services. This keeps your sensitive and private information secure, as well as keeps business costs down and keeps systems running efficiently. Configuration of any cloud service is important, but storage solutions matter the most. Why? Because a misconfigured storage solution can lead to a plethora of problems. Just ask Prestige Software, developer of Cloud Hospitality, a platform that hotels can use to integrate booking with sites like Expedia and Hotels.com. Prestige is just the latest in a line of companies with misconfigurations leading to data exposure.
A security team at Website Planet is responsible for the discovery of the latest misconfiguration problem. The team found the Amazon Web Services S3 bucket was easily accessible, exposing 10 million records (over 24GB of data). Some of the records dated back to 2013, even though the bucket was “live” and in use when it was discovered. The information inside the bucket included full names, email addresses, national ID numbers and phone numbers of hotel guests. It also included credit card numbers, CVVs and expiration dates, cardholder names and reservation details like cost, dates, special requests made, number of people, etc.
“The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks,” according to Website Planet. “The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”
The firm also stated that it is probable that every website and booking platform connected to Cloud Hospitality is affected. The good news for those websites and hotels is that they aren’t the ones on the hook for this, Prestige Software holds the blame here. The company is subject to GDPR and PCI DSS regulations, which may bring large fines on top of any legal fees the company faces. They can look to Capital One for an idea of what that fine might look like. Non-compliance to PCI DSS could result in losing the ability to accept and process credit card payments, although an investigation will have to happen before any punishment is acted upon.
While this is bad, really bad especially from a PR perspective for Prestige, they are not alone. Last month Pfizer was discovered to have leaked private medical data of prescription drug users in the U.S. due to an unprotected Google Cloud storage bucket. Broadvoice, a VoIP provider, leaked more than 350 million customer records. Razer, which sells high-end gaming gear, had around 100,000 customers information exposed due to a misconfigured Elasticsearch server.
On top of this, a September analysis by Comparitch found that a large percentage of cloud databases that contain private and sensitive information are publicly available. They showed that 6% of all Google Cloud buckets are misconfigured and left open to the public internet.
Configuration is incredibly important to security. We recently discussed the top three security misses we have seen, and one of the examples was around misconfiguration of storage buckets in the cloud. In the past, we have also talked about the characteristics of a split data storage solution and several articles have mentioned the need to keep sensitive and private information secure. As a business, you are on the hook for anything that happens on your company equipment. If there is a breach, the business is on the hook. There are legal fees, reparations, labor costs for fixing the problem and fines from compliance bodies.
Configuration is probably even more important to security than IAM controls, although both are vital pieces. This isn’t something you mess around with, something you trust just anyone to do. Especially when dealing with cloud services, you must hire an expert. You may think you’ve done everything correctly and that your IT department has it under control, and you could be right. But what harm is there in bringing in an expert to verify that everything is correct? The cost of bringing someone in, even just to look, will be far less than the cost of a breach. Not just that, but a breach can mar a business’ reputation for years to come, which is why most small-medium and even some larger businesses do not survive after exposing information. Don’t be the next Capital One or Pfizer or Prestige. Protect your customers, your business and your employees by ensuring your data storage solution is secure and not part of a public bucket!