Information security specialists from firm vpnMentor, led by expert Noam Rotem, discovered a data breach that affected Gekko Group, a subsidiary brand of Accor Hotels. Gekko Group is a leading European B2B hotel booking platform that also owns several smaller brands.
It seems that the database compromised during
this incident hosted a considerable amount of information from Gekko Group and
its customers, as well as data related to external sites and platforms such as
Booking.com.
Information security experts consider this
incident to be a serious threat to the security of compromised information, as
a considerable amount of business and customer data from multiple hosting
services has been exposed.
In total, more than 1 TB of information was
compromised from Gekko Group, affiliated companies and customers, including
details such as:
- Hotel
and transport reservations - Customer
payment card details - Personally
identifiable information belonging to users and members of companies - Login
credentials for customer accounts on platforms owned by Gekko Group
Most of the information exposed originated from
two different platforms, owned by Gekko Group: Teldar Travel and Infinite
Hotel. These two platforms perform separate tasks related to reservations and
user data. Each time a travel agent used the platform to make a reservation for
a customer an entry was recorded in the Gekko Group database.
According to information security specialists,
each reservation record exposed includes data such as:
- Full
names - Address
- Email
addresses - Personal
information of family members and companions (including minors) - Travel
dates - Destination
hotel
In addition to users’ personal information,
many reservation records included details such as invoices, card numbers, among
other sensitive financial data.
According to information security specialists
of the International Institute of Cyber Security (IICS), bad security practices
not only expose the company, but also users, who could face multiple variants
of cyberattacks, such as identity theft to charge exposed cards, phishing,
among others.
Because Accor Hotels and Gekko Group are
located in France, this incident will be investigated under the rules set out
in the European Union General
Data Protection Regulation (GDPR); as this is a significant leak, the
company now faces possible class actions and fines as set out in the new data
protection legislation.
