The apparent inability of organisations to correctly and appropriately secure the data they hold in cloud storage instances has once again been made painfully obvious with the exposure of millions of records by Prestige Software, a supplier of channel management software services to the online travel industry.
Users of some of the world’s most popular travel retail websites, including Booking.com, Expedia and Hotels.com, should be on their guard after Prestige’s failure to appropriately configure an AWS Simple Storage Service (S3) bucket left data going back 10 years exposed to the public internet.
It was disclosed on 6 November 2020 by researchers at Website Planet, and totalled 24.4GB of data, comprising at least 10 million files.
Data points included in the dump include the credit card details of travellers and travel agents, including the all-important CVV code, payment details, reservation details, and personally identifiable information (PII) including names, email addresses, national ID numbers and phone numbers.
Website Planet said the bucket was still in use with new records constantly being uploaded, and although it was secured within a few hours of the research team contacting AWS, it is impossible to say that the database had not been accessed or stolen.
Secure by default
AWS S3 buckets are secure by default, so in the absence of a targeted attack by a cyber criminal, which cannot necessarily be ruled out in this instance, their contents can only be revealed through error or negligence on the part of Prestige Software. Also, AWS provides detailed information on keeping S3 buckets secure.
This raises the question of why such breaches are quite so comically common – indeed, according to Sonrai Security CEO Brendan Hannigan, misconfigurations are the number one cause of a public cloud breach. But, he adds, the reasons for this are perhaps somewhat understandable.
“Exploding complexity, especially around identity and data access, is leading to human error and unintentional exposure,” said Hannigan.
“We have found unintended and mistaken data exposure when onboarding new customers with many datasets containing PII. This means data breaches, such as an exposed S3 bucket, are just the tip of the iceberg.”
Synopsys senior security engineer Boris Cipot commented: “Cloud technology is helping organisations in many ways to be better, faster and more advanced in their operations. However, processes to maintain this technology also need to be regarded as a priority.
“Introducing technologies in production needs to be paired with thorough checks to ensure that the data is properly safeguarded. While these checks may initially be time-consuming, they are necessary to prevent issues later down the line.”
Warren Poschman, senior solutions architect at comforte AG, said that although the incident could have been mitigated by accepting the default AWS S3 permissions to deny access, the root of the issue was that many organisations are playing roulette with live data, when they should instead be using a data-centric security model that allows data to be protected as it is acquired and travels through the organisation, regardless of where it is being stored or accessed.
“Data-centric protection using technologies like tokenisation allows the organisation to use the protected data for day-to-day operations, analytics and data sharing,” said Poschman. “In this case, it could have meant avoiding a breach entirely because the S3 bucket would have only contained de-identified, secure data.”
Metomic CEO and co-founder Rich Viber also spoke up for tokenisation as a critical element of a privacy-centric culture.
“It’s frustrating that this could have been easily and affordably avoided by embracing a privacy-first culture,” he said. “For example, introducing technology to detect and tokenise the personally identifiable information they exposed, so it would have been unreadable.
“Companies such as Prestige Software need to stop thinking of privacy as a legal and contractual check-box. Instead, they must see it as a means for eradicating data breaches, so they can maintain customer trust and have the power of data, without the risk.”
For Prestige’s customer base of online travel firms, the incident will yet again highlight questions over responsibility for cloud security, and the wisdom of trusting third parties with valuable data – as software supplier Blackbaud’s bungled response to a ransomware incident earlier in 2020 also demonstrated.
“The breach of Prestige Software’s data is as unfortunate, especially coming as the result of a misconfiguration,” said Gurucul CEO Saryu Nayyar. “Working with third-party vendors poses a number of challenges, including making sure they are maintaining the same level of cyber security that your own organisation requires.”
The real victims
The real victims of Prestige’s blunder are, of course, not its customers, but its customers’ customers, potentially many millions of consumers who are now, through no fault of their own, at heightened risk of being compromised by cyber criminals.
ProPrivacy digital privacy expert Ray Walsh said the numbers affected could be much higher than currently disclosed.
“Millions of people’s data, including credit card details, could have been accessed by cyber criminals,” he said. “Anybody who has made a hotel booking with these major hotel reservation platforms since 2013 is potentially at risk.
“It is vital for Prestige Software and the hotel reservation platforms involved to act quickly to determine which consumers were affected, so they can be contacted and told to cancel their cards and look closely at their accounts for any signs of intrusion.”
Cipot at Synopsys agreed that if the database was accessed while public, consumers would face the most damaging repercussions. He said he anticipated malicious actors attempting to compromise them by trying to infiltrate other linked accounts and services and conducting phishing attacks, as well as carrying out credit card fraud and identity theft.
“We can’t be certain that bad actors have not already gained access to this data,” he added. “But there are a few things that potentially affected users can do to proactively lower their risk and, in turn, improve their security moving forward.
“First, users should change their password on the site as well as on any other online service where it may have been reused. It is worth employing a password manager if you are overwhelmed with the number of services used and the regulatory demands for strong passwords.
“Second, be wary of any email requesting personal data such as passwords, usernames, social security numbers or financial data. Service providers would never request such data over email or even on the phone. If ever in doubt, call your service provider or visit their web page directly and log in through the site. It is critical that you do not open attachments or click on links in emails.
“Finally, talk with your bank proactively – let them know that you have used a service that has leaked your data and check your bank statements regularly for suspicious activity.”
As a Spanish company bound by the EU’s General Data Protection Regulation (GDPR) and holding data on European citizens, Prestige Software needed to report the breach, because not to do so would invite legal actions and huge fines, said Website Planet researcher Mark Holden.
And more trouble lies ahead for the company in terms of financial compliance, said Walsh at ProPrivacy.
“It is now necessary for a full investigation so that a decision can be made as to whether Prestige Software was in violation of the Payment Card Industry Data Security Standard (PCI DSS), as a result of which it may need to be stripped of its ability to process card payments on behalf of the companies it works with,” he said.