Millions of hotel guest reservations leaked in Otelier data breach

(Image credit: Pixabay)

A threat actor used an infostealer to gain access to Otelier's AWS S3 bucket
The threat actor exfiltrated almost 8TB of sensitive data
Reservations, personally identifiable data, and more, were all taken

High-profile hotel chains, including Marriott and Hilton, have had sensitive customer data lost as part of a supply-chain attack against a partner.

Otelier is a hotel management platform designed to optimize operations, enhance guest experiences, and streamline property management processes. It is used by more than 10,000 hotels worldwide, ranging from independent properties, to leading industry brands such as Hyatt, Wyndham, and more.

Malicious actors recently told BleepingComputer they used an infostealer to grab Atlassian login credentials from an Otelier employee. This access was then used to scrape tickets and other data, allowing them to obtain the credentials for S3 buckets, from where the attackers then exfiltrated 7.8TB of data, including “millions of documents belonging to Marriott”. Among the information was hotel reports, shift audits, and accounting data.

Attacks confirmed

A Marriott sample apparently included a “broad range of data, including hotel guest reservations, transactions, employee emails, and other internal data.” In some instances, the attackers obtained hotel guests' names, addresses, phone numbers, and email addresses.

Hundreds of thousands of email addresses were said to have been exposed.

Both Otelier and Marriott confirmed these findings.

"Otelier has been in communications with its customers whose information was potentially involved. In response to this incident, we hired a team of leading cybersecurity experts to perform a comprehensive forensic analysis and validate our systems,” the company told BleepingComputer.

"The investigation determined that the unauthorized access was terminated. In order to help prevent a similar incident from occurring in the future, Otelier disabled the involved accounts and continues to work to enhance its cybersecurity protocols."

Marriott said the crooks first tried to extort the company, thinking it owned the data, and the news comes shortly after it was hit with a major penalty to settle previous security breach claims.

Hackers hide malware into website images to go unnoticed
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.