Data breach at Otelier exposes millions of hotel guest reservations.
A breach in the hotel management platform has compromised guest information.
A malicious actor has used an infostealer to access Otelier's AWS S3 bucket, successfully exfiltrating nearly 8TB of sensitive information. Among the compromised data are hotel reservations and personally identifiable information. This supply chain attack has impacted major hotel chains, including Marriott and Hilton.
Otelier is a hotel management platform that helps optimize operations, enhance guest experiences, and streamline property management processes. This platform is used by over 10,000 hotels worldwide, ranging from independent properties to large brands like Hyatt and Wyndham.
Recently, malicious actors reported that they obtained Atlassian login credentials from an Otelier employee through an infostealer. With this access, they were able to gather tickets and other data, which allowed them to obtain credentials for the S3 buckets. From there, the attackers exfiltrated 7.8TB of data, including "millions of documents belonging to Marriott." The stolen information includes hotel reports, shift audits, and accounting data.
Investigations confirmed that one example from Marriott included a "wide range of data, including guest reservations, transactions, employee emails, and other internal data." In some cases, the attackers managed to obtain names, addresses, phone numbers, and email addresses of guests. It is reported that hundreds of thousands of email addresses were exposed.
Both Otelier and Marriott have corroborated these findings. Otelier has been in contact with its customers whose information may be involved. In response to this incident, the company has hired a team of cybersecurity experts to conduct a thorough forensic analysis and validate its systems. According to the company, the unauthorized access has been terminated, and to prevent future incidents, the implicated accounts have been disabled while work is underway to improve cybersecurity protocols.
For its part, Marriott indicated that the criminals initially attempted to extort the company, believing they owned the data. This revelation comes shortly after the company faced a significant fine to settle previous claims related to security breaches.
