Gekko Group, a subsidiary of AccorHotels, offers a hotel booking platform for business travel. In a data set of about 1TB that was freely accessible in an Elastic Search database, security researchers discovered booking information, credit card details, and access data from Gekko Group customers. Several subcontractors, such as Teldar Travels and Infinite Hotels, are also affected. The data was unprotected and accessible via the Internet. Data from people from Spain, Portugal, the Uk, the Netherlands, France, Belgium, and Italy are particularly affected, the security researchers report. The platforms Booking.com and Hotelbeds.com were also affected - the Gekko Group processes the booking data for around 600,000 hotels worldwide.
In the meantime, according to the responsible, they have secured the affected systems, which were hosted in France. Affected customers will be informed.
David Bouck-Standen (M.Sc.)
Sen. IT-Consultant, NetAlive Ltd
Data Protection Expert
It happens again and again that gigantic amounts of personal data are simply on the Internet - and simply so, with completely free and unlimited access to entire databases. Today, the technology becomes seductively easy to use: one mouse click here, one mouse click there, already a program has clicked together including database in the backend. Why do you need a real programmer or expert if you can do that? I am not claiming that this was indeed the case in the present case. However, it appears that the necessary care was lacking in the handling of the systems and the personal data of the persons concerned. There may also be a lack of internal structures that look at the developed solution and its parameters and conduct a critical audit. And what about your systems? Do you have an Elastic Search database?