AccorHotels Subsidiary Exposes Hotels and Travelers in Massive Data Leak
Synicated by GEO´Newsdesk Team
European News Centre Málaga
Led by Noam Rotem and Ran Locar, vpnMentor
’s research team discovered a data breach belonging
to Gekko Group, a subsidiary of Accor Hotels.
Based in France, Gekko Group is a leading European B2B hotel booking platform that also owns
several smaller hospitality brands. These include Teldar Travel & Infinite Hotel, the two brands most exposed in the database discovered by our team. However, some data from other Gekko Group-owned brands were also exposed.
The database in question was huge, containing over 1 terabyte of data. This included data from Gekko Group brands and their clients, as well as external websites and platforms which their
systems communicate with, such as Booking.com.
This breach represents a serious lapse in data security by Gekko Group and its subsidiaries,
compromising the privacy of their customers, clients, AccorHotels, and the businesses themselves.
Gekko Group Company Profile
Founded in 2010 and based in France, Gekko Group primarily works in the European hospitality
market but has offices worldwide. A B2B hotel booking platform, it also owns many smaller brands.
Within all these brands, Gekko Group has a combined customer base of 600,000 hotels worldwide,
with interests in corporate travel, leisure travel, hotel inventory, and data distribution.
In 2017, AccorHotels – the largest hospitality company in Europe, and the sixth-largest worldwide
purchased Gekko Group. At the time, Gekko Group was valued at $117 million.
Understanding a breach and what’s at stake takes careful attention and time. We work hard to
publish accurate and trustworthy reports, ensuring everybody who reads them understands their
Some affected parties deny the facts, disregarding our research or playing down its impact.
So, we need to be thorough and make sure everything we find is correct and true.
In this case, the database contained files belonging to numerous Gekko Group brands and external
platforms. Initially, it was unclear exactly which brand the database belonged to. With data
originating from numerous sources, the team had to cross-reference data with different brands
to make sure they all matched.
Once we confirmed Gekko Group as the database’s owner, we attempted to contact AccorHotels and
their data privacy officer to notify them of the breach and help resolve the issue.
When this failed, our team reached out to Gekko Group directly, as well as their GDPR officer.
Still receiving no replies from AccorHotels or Gekko Group, we contacted their hosting company
and, eventually, the Commission Nationale de l’Informatique et des Libertés (CNIL) – France’s
independent regulatory body for data security and privacy.
Finally, on November 13th, after a week of emails being sent, we received a response from
AccorHotels asking about the leak. Almost immediately after, it had been closed. We duly
received a thank you note from AccorHotels, confirming the closure of the leak. They also
informed Gekko Group accordingly.
Date discovered: 7/11
Date vendors contacted: 7/11
Date of 2nd contact attempt (if relevant): 10/11
Date of Response: 13/11
Date of Action:13/11
Examples of Exposed Data
Hosted in France on servers belonging to OVH SA, the compromised database was huge, containing
approximately 1TB of data.While the data belonged to AccorHotels – via their ownership of Gekko Group – it originatedfrom many different businesses within Gekko Group. The bulk of the data came from two sources: Teldar Travel & Infinite Hotels.
As Gekko Group’s brands serve very different functions, there was a huge variety in types of
data our team accessed, including:
- Hotel and transport reservations
- Credit card details
- Personally Identifiable Information (PII) of various parties
- Login credentials for client accounts on Gekko Group-owned platforms
As these businesses interact with many external platforms in the travel and hospitality
industries, the database also contained data originating from platforms outside of the Gekko
This exposed hotels, travel agencies and their customers around the world, many of whom had
no direct relationship with Gekko Group or its brands.
Our team viewed database entries in numerous languages, originating from many different
countries, mostly in Europe. These included citizens of the following countries:
- The United Kingdom
- The Netherlands
Most of the data we viewed originated from two Gekko Group-owned platforms: Teldar Travel and
Infinite Hotel. Both platforms serve separate functions relating to accommodation reservations
Given its function as a booking platform for travel agents, the entries in the database relating
to accommodation and transport reservations mostly came from Teldar Travel.
Whenever a travel agent used the platform to make a reservation for a customer, an entry was
logged on Gekko Group’s database.
The data exposed in these reservations included:
- Full names
- Email addresses
- Home addresses
- PII of children
- Travel dates
- Destination hotels
- Reservation details (no. of guests, room types, etc.)
- Price of stays
- Data from external reservations platforms (ie. Booking.com)
Because Teldar Travel interacts with many other accommodation and travel platforms, the database
also contained significant amounts of data from external sources.
External platforms whose data was exposed due to interaction with Gekko Group-owned platforms
- Occius – Spanish travel platform
- Infra – French creative agency
- Smile – French digital experience and web development agency
- Mondial Assistance – Polish travel platform
- Selectour.com – French online travel agency
- Booking.com – International hotel booking platform
- Hotelbeds.com – International hotel booking platform
Source: VPN Mentor