CYBER SECURITY: AccorHotels Subsidiary Exposes Hotels and Travelers in Massive Data Leak

AccorHotels Subsidiary Exposes Hotels and Travelers in Massive Data Leak Synicated by GEO´Newsdesk Team European News Centre Málaga Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach belonging to Gekko Group, a subsidiary of Accor Hotels. Based in France, Gekko Group is a leading European B2B hotel booking platform that also owns several smaller hospitality brands. These include Teldar Travel & Infinite Hotel, the two brands most exposed in the database discovered by our team. However, some data from other Gekko Group-owned brands were also exposed. The database in question was huge, containing over 1 terabyte of data. This included data from Gekko Group brands and their clients, as well as external websites and platforms which their systems communicate with, such as Booking.com. This breach represents a serious lapse in data security by Gekko Group and its subsidiaries, compromising the privacy of their customers, clients, AccorHotels, and the businesses themselves. Gekko Group Company Profile Founded in 2010 and based in France, Gekko Group primarily works in the European hospitality market but has offices worldwide. A B2B hotel booking platform, it also owns many smaller brands. Within all these brands, Gekko Group has a combined customer base of 600,000 hotels worldwide, with interests in corporate travel, leisure travel, hotel inventory, and data distribution. In 2017, AccorHotels – the largest hospitality company in Europe, and the sixth-largest worldwide purchased Gekko Group. At the time, Gekko Group was valued at $117 million. Understanding a breach and what’s at stake takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness. Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true. In this case, the database contained files belonging to numerous Gekko Group brands and external platforms. Initially, it was unclear exactly which brand the database belonged to. With data originating from numerous sources, the team had to cross-reference data with different brands to make sure they all matched. Once we confirmed Gekko Group as the database’s owner, we attempted to contact AccorHotels and their data privacy officer to notify them of the breach and help resolve the issue. When this failed, our team reached out to Gekko Group directly, as well as their GDPR officer. Still receiving no replies from AccorHotels or Gekko Group, we contacted their hosting company and, eventually, the Commission Nationale de l’Informatique et des Libertés (CNIL) – France’s independent regulatory body for data security and privacy. Finally, on November 13th, after a week of emails being sent, we received a response from AccorHotels asking about the leak. Almost immediately after, it had been closed. We duly received a thank you note from AccorHotels, confirming the closure of the leak. They also informed Gekko Group accordingly.

    Date discovered: 7/11 Date vendors contacted: 7/11 Date of 2nd contact attempt (if relevant): 10/11 Date of Response: 13/11 Date of Action:13/11

Examples of Exposed Data Hosted in France on servers belonging to OVH SA, the compromised database was huge, containing approximately 1TB of data.While the data belonged to AccorHotels – via their ownership of Gekko Group – it originatedfrom many different businesses within Gekko Group. The bulk of the data came from two sources: Teldar Travel & Infinite Hotels. As Gekko Group’s brands serve very different functions, there was a huge variety in types of data our team accessed, including:

•     Hotel and transport reservations
•     Credit card details
•     Personally Identifiable Information (PII) of various parties
•     Login credentials for client accounts on Gekko Group-owned platforms
•     etc.

As these businesses interact with many external platforms in the travel and hospitality industries, the database also contained data originating from platforms outside of the Gekko Group umbrella. This exposed hotels, travel agencies and their customers around the world, many of whom had no direct relationship with Gekko Group or its brands. Our team viewed database entries in numerous languages, originating from many different countries, mostly in Europe. These included citizens of the following countries:

•     Spain
•     The United Kingdom
•     The Netherlands
•     Portugal
•     France
•     Belgium
•     Italy
•     Israel

Most of the data we viewed originated from two Gekko Group-owned platforms: Teldar Travel and Infinite Hotel. Both platforms serve separate functions relating to accommodation reservations and data. Given its function as a booking platform for travel agents, the entries in the database relating to accommodation and transport reservations mostly came from Teldar Travel. Whenever a travel agent used the platform to make a reservation for a customer, an entry was logged on Gekko Group’s database. The data exposed in these reservations included:

•     Full names
•     Email addresses
•     Home addresses
•     PII of children
•     Travel dates
•     Destination hotels
•     Reservation details (no. of guests, room types, etc.)
•     Price of stays
•     Data from external reservations platforms (ie. Booking.com)

Because Teldar Travel interacts with many other accommodation and travel platforms, the database also contained significant amounts of data from external sources. External platforms whose data was exposed due to interaction with Gekko Group-owned platforms included:

•     Occius – Spanish travel platform
•     Infra – French creative agency
•     Smile – French digital experience and web development agency
•     Mondial Assistance – Polish travel platform
•     Selectour.com – French online travel agency
•     Booking.com – International hotel booking platform
•     Hotelbeds.com – International hotel booking platform

Source: VPN Mentor