Prestige Software data breach exposes sensitive data from millions of hotel guests worldwide

A hotel reservation platform of Spain based firm Prestige Software which is used by some of the world’s largest online booking websites has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people, claimed a security team at Website Planet.

Prestige Software sells a channel management platform called Cloud Hospitality to hotels that automate their availability on online booking websites like Expedia and Booking.com

According to Website Planet which deals in online reviews, the Prestige Software was storing years of credit card data from hotel guests and travel agents without any protection on a misconfigured Amazon Web Services (AWS) S3 bucket. As a result, a massive amount of data was exposed — over 10 million individual log files in total, dating back to 2013.

Advertisement

‹

EVENT

Saksham Bharat 2026

A multi-stakeholder dialogue on skilling gap in Cybersecurity, Data Resilience and AI — and the roadmap to a Saksham Bharat.

📅 Tue, 26 May 2026

📍 Mumbai, Bengaluru, Delhi

Register Now →

EVENT

VeeamON 2026 Tour India - Mumbai

A VeeamON 2026 India Leadership Series Mumbai for senior public sector and government technology leaders.

📅 Tue, 26 May 2026

📍 Grand Hyatt, BKC

Register Now →

EVENT

Cyber Surakshit Uttar Pradesh

Find out strategies, frameworks and solutions for building a resilient and secure digital ecosystem across Uttar Pradesh.

📅 Thu, 28 May 2026

📍 Lucknow

Register Now →

EVENT

VeeamON 2026 Tour India - Bengaluru

A VeeamON 2026 India Leadership Series Bengaluru for senior public sector and government technology leaders.

📅 Wed, 03 Jun 2026

📍 JW Marriott Hotel

Register Now →

EVENT

VeeamON 2026 Tour India - Delhi

A VeeamON 2026 India Leadership Series Delhi for senior public sector and government technology leaders.

📅 Fri, 19 Jun 2026

📍 Shangri-La Eros

Register Now →

EVENT

Infosec Reimagined

Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.

📅 Fri, 26 Jun 2026

📍 New Delhi

Register Now →

EVENT

Digital Senate

Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.

📅 Thu, 30 Jul 2026

📍 New Delhi

Register Now →

EVENT

CIO Prism

CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.

📅 Fri, 18 Sep 2026

📍 Goa

Register Now →

›

The company claimed that each of these records exposed sensitive and valuable Personally Identifiable Information (PII) data belonging to the individuals making the reservations. However, it’s difficult to say how many people were affected, due to the amount of data exposed.

The S3 bucket was still live and in use, with new records being uploaded within a few hours of our investigation, said the company.

The company claimed that the S3 bucket contained data that appeared to originate from many well-known sources listed as Cloud Hospitality’s customers, including, but not limited to Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees and Sabre, among others.

The security team said that they did not review all the files exposed in the S3 bucket, adding that every website and booking platform connected to Cloud Hospitality was probably affected.

The company said that they investigated several companies potentially responsible for the data breach. However, considering the size of the data exposed and its sensitivity, they decided to contact AWS directly so it could resolve the issue quickly and ensure the breach was closed. The S3 bucket was secured the following day.