News & Resources

Millions of people’s payment details at risk from booking.com and Expedia data breach

  • Posted on

Millions of hotel customers have potentially had their payment details leaked due to serious security failings by the software company behind a major hotel reservation system.

A cloud hospitality system used to store payment details and other personal data by major companies, including booking.com and Expedia, has been found to have no security in place. This means the data could be accessed by anyone who knew where to look.

The breach was revealed on 6 November 2020 by security experts at Website Planet. The unsecured cloud hospitality system was developed by Spanish firm Prestige Software.

The data at risk covers bookings as far back as 2013 and includes highly sensitive data, including credit card and CVV numbers, full names, addresses and ID numbers of guests, as well as details about customers’ reservations.

Website Planet have explained how the breach occurred: “Prestige Software was storing Cloud Hospitality data on a misconfigured Amazon Web Services (AWS) S3 bucket, a popular form of cloud-based data storage.

“As a result, a massive amount of data was exposed: over 10 million individual log files in total, dating back to 2013.”

According to the experts at Website Planet, it is “difficult to say how many people were affected, due to the amount of data exposed” but, as the log files could each relate to more than one person (e.g. for family bookings) “the actual number of people exposed could be much higher than the number of reservations logged”.

This means that potentially more than 10 million people may have had their personal data exposed as a result of the Prestige Software breach.

Other companies that use Pretige Software’s Cloud Hospitality system include Agoda, Amadeus, Hotels.com, Hotelbeds, Omnibees and Sabre. Customers of these other companies could, therefore, also be at risk.

Jose Hernández, product manager at Prestige Software, told The Independent: “We have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects. We are still working on this and will update you should any relevant development be given.”

An Expedia Group spokesperson told The Independent: “We are aware of the report related to a data security incident that Prestige Software/Cloud Hospitality may have experienced. This was not a compromise of Expedia Group’s systems. As such, we are directing any requests for information to Prestige Software/Cloud Hospitality.”

What to do if you are worried about the Prestige Software data breach

You should have been contacted already by booking.com or Expedia if the payment detail you shared with them are at risk from the Prestige Software data breach.

If you have used either of these companies any time since 2013 and you have not been contacted, you should contact them directly for more information.

A good precaution is to check whether the email address you used with either company has been exposed using a website such as haveibeenpwned.com. This can help you to see whether you have been caught up in this data breach.

If your financial details have been exposed, you could be at serious risk of financial fraud. Registering with the Cifas fraud prevention service is a sensible precaution. This will ensure extra checks are taken out if anyone attempts to take out credit in your name.

You should also notify your bank, building society and/or credit card provider who can advise you on the appropriate steps to protect your accounts. It is a good idea to regularly check your bank statements for any transactions you do not recognise, which could be fraudulent. You bank or building society will normally refund any fraudulent payments if you have taken appropriate precautions.

It is also sensible to be wary of any emails, phone calls or other communications you receive, especially from people claiming to represent booking.com or Expedia. These could be ‘phishing’ attacks aimed at extracting more personal information from you or scams intended to get you to transfer money to the scammers.

Do not share any personal information with, or make any payment to, anyone who contacts you unless you are absolutely sure that they are legitimate and there is a valid reason to do so.

Should you find yourself the victim of fraud as the result of the Prestige Software data breach, you should report this to the police and Action Fraud.

There are also various steps you can take to minimise the risk of your data being used by cybercriminals. Take a look at our guide to what to do if your data has been stolen in a data breach to find out more.

Can you claim compensation for a data breach?

When you share personal information, such as payment details, with an organisation they have a legal duty to protect that information under the Data Protection Act 2018. This includes a legal requirement to have in place appropriate cyber security measures, such as passwords and encryption to prevent your details falling into the wrong hands.

As Prestige Software had no protection in place for the payment details it was storing, the company has almost certainty breached the Data Protection Act 2018 and the equivalent legislation in Spain (where Prestige Software is headquartered). This means anyone whose payment details were exposed as a result of the Prestige Software data breach will likely have a claim for compensation.

Victims of the breach will potentially be able to claim damages for any financial losses they have suffered as a result, as well as for their emotional distress. Even where no specific harm has been caused, victims may still be able to claim compensation for the breach.

How Hayes Connor can help you claim data breach compensation

Hayes Connor has one of the largest teams of data breach claims specialists in the country, with decades of combined experience. If you have been the victim of adata breach, we can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.

To speak to a member of our team, please do not hesitate to give us a call on 0330 041 5135.

Find out how our experts can help you with your claim

Make a claim