The personal data of an estimated 13,500 travelers from the Netherlands were accessible through poorly secured database of administrator Gekko Group. The company let NU.nl know that. Gekko Group does business with more than 600,000 hotels worldwide.
The database included names, accounts, passwords, e-mail addresses, telephone numbers and in some cases credit card numbers. VPNMentor researcher Ran Locar, who discovered the leak, tells NU.nl that data from between 130,000 and 140,000 travelers worldwide are involved.
Director Fabrice Perdoncini of Gekko Group says in a reaction to CNET that the leak was closed on November 13. In addition, the company will conduct research into the IT systems that the company uses.
The database contained the data of 13,500 Dutch customers, Gekko wrote in a response to NU.nl. "There is currently no indication that this data has been misused by anyone."
In the meantime contact has been made with victims. Gekko Group, part of AccorHotels, is one of the largest hotel booking companies in Europe.
Data from travelers who have never traveled directly with Gekko Group could also be viewed. That is because the database also contained data from websites such as Booking.com and Hotelbeds.com, with which the company cooperated.
"One of the biggest data breaches ever"
Locar came across the data breach in a study in collaboration with Noam Rotem and VPNMentor. The team scans the internet for servers with insufficient security. According to Locar, the leak is "one of the biggest ever" and a huge amount of data was available.
Because the database was on a public server, it was accessible to everyone. The data was not encrypted, making it easy to read.
This article was supplemented by a reaction from the Gekko Group on Wednesday evening at 6.38 p.m.