Hundreds of hotels hit in FastBooking breach

Hackers exploited a web app vulnerability on a server at hotel booking website FastBooking to install malware and pilfer data, such as names, email addresses, booking information and payment card data, from guests at hundreds of hotels.

The breach took place on June 14, said FastBooking, which states it works with 4,000 partner hotels in 100 countries. In an email to affected properties, FastBooking says an attacker exploited a vulnerability in a Web application hosted on its server to install malware, reports Dark Reading. The attacker used this access to steal first and last names, nationalities, physical and email addresses, and booking-related details, such as hotel names and check-in/check-out dates.

“All of our markets have been affected but this represents a minority of our customers,” a spokeswoman for Fastbooking told the Japan Times.

She declined to say how many hotels were affected, but said data from Japan made up a large portion of the compromised information—around 320,000 pieces of customer data from about 400 lodging providers in the country that use the reservation system, including major chain Prince Hotels. The spokeswoman said that personal data was purloined in 58,003 leaks while credit card information was stolen in an additional 66,960 cases.

The French company declined to name the affected hotels, but some Japanese lodging providers have voluntarily come forward to warn former guests, reports the Japan Times. On Wednesday, Fujita Kanko, which operates the Washington Hotel chain, said 25,000 bits of customer information had been stolen through the booking website. Other hotel operators including Hotel Monterey, Hankyu Hanshin Hotels and Royal Holdings also said customer data such as names, addresses and nationalities had been stolen. Prince Hotels said Tuesday that 125,000 bits of customer information had been stolen through its booking websites in English, Chinese and Korean. These hotel operators said they have not confirmed any abuse of the stolen data.

Hospitality and retail companies are an attractive target for hackers because they collect troves of passwords, personally identifiable information, credit card details and other sensitive information, said Tamulyn Takakura, product marketing manager and cybersecurity expert at Prevoty, a web application security provider. Unlike other industries, more of their applications and systems are exposed to the internet, creating more entry points for attack. Hospitality and retail security requires ongoing diligence and multiple layers of defense. 

“In the past year, we've seen an alarming number of data breach caused by vulnerability exploits,” Takakura said. “As attacks continue to grow in frequency and sophistication, the need for attack-based security becomes clear. It’s impossible and impractical to find and fix every vulnerability to account for every threat. Attack-based security offers real-time attack protection, without hampering scalability, availability, or performance. They detect, prevent, and neutralize attacks in production, so business keeps going even in the face of an attack. It buys time, which we argue is the most critical asset when responding to incidents.”

Earlier this year, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards. The breach was discovered March 1. The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The hackers “likely accessed” people’s names, dates of birth, email addresses, street addresses and genders, Orbitz said.

In the past two years, Sabre, a hotel global distribution system, also had a reservations system security breach, affecting Hard Rock Hotels, Loews Hotels, Four Seasons Hotels and Resorts and Trump Hotels, among others.