Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records
A misconfigured AWS S3 bucket has exposed 24.4 GB of personal data belonging to millions of hotel guests. The issue affected a hotel reservation platform, Cloud Hospitality, that allows hotels to integrate their own systems with third-party online booking sites, such as Expedia and Hotels.com. The stored data include names, national ID numbers, and payment card information.
A great aid for avoiding these types of vulnerabilities: the Center for Internet Security has updated v1.3 benchmarks (configuration guidelines) for AWS S3, Office365 and the other commonly used cloud services that are constantly in the news with avoidable misconfigurations enabling incidents and exposures. https://www.cisecurity.org/blog/cis-benchmarks-september-2020-update/: CIS Benchmarks September 2020 Update
While Amazon has implemented controls and warnings to limit creating or modifying an S3 bucket to be world accessible, it's still necessary to audit your configured storage to make sure permissions are appropriate for storage created prior to those controls or to find users accepting the warning and proceeding anyway. Amazon has published guidelines for auditing your AWS account and services for appropriate permissions as well as tools like CloudTrail and S3 bucket logging which allow you to monitor for inappropriate activity. See AWS security audit guidelines: https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html: AWS security audit guidelines
Read more in
Website Planet: Report: Hotel Reservation Platform Leaves Millions of People Exposed in Massive Data Breach
Infosecurity Magazine: Hotel Booking Firm Leaks Data on Millions of Guest