Sample of leaked data (Cybernews)
Over 24 million records containing personal data of hotel clients were exposed due to the absence of password protection on a server. Cybernews researchers discovered an unprotected Elasticsearch server and a Kibana interface containing sensitive guest information.
The leaked data includes names, email addresses, phone numbers, dates of birth, country and language codes, hotel visit details, stay specifics (check-in times, number of nights, payment amounts, and guest counts), loyalty points, and property identifiers.
While the company responsible for the breach has not been definitively identified, strong evidence suggests that the data may belong to Honotel Group—a French company managing hotel assets. The group owns 135 hotels across eight European countries, with assets valued at €1.2 billion.
References to “SITE HONOTEL” and integrations with Booking.com in the leaked database hint at the possible connection to Honotel’s booking management system.
Cybernews experts reached out to the company for clarification but received no response. The breach was discovered on October 4, 2024, disclosed on October 5, and the database was secured on October 7, 2024.
This leak poses significant risks to the security and privacy of hotel customers. Personal information combined with booking details is a treasure trove for malicious actors, who can exploit it for targeted phishing attacks, fraud, and identity theft. Moreover, such incidents threaten legal repercussions and can severely damage a company’s reputation.
Under GDPR regulations, companies are required to report data breaches within 72 hours. Failure to comply may result in fines ranging from 2% to 4% of the organization’s total annual turnover.
To prevent similar breaches in the future, experts recommend the following measures:
- Implement robust server protection with passwords and access controls;
- Notify affected clients so they can take precautionary measures;
- Conduct a thorough security audit to identify vulnerabilities;
- Regularly monitor security and establish incident response protocols;
- Educate employees on best practices for data protection.
