Photo courtesy of Information Security Buzz
On Tuesday (June 26th) FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries, notified the public of a data breach that occurred within their software. The breach, which occurred on June 14th, exposed a vulnerability in an application hosted on FastBooking’s server to install malware. The malware allowed the hacker to access the server, which he or she used to exfiltrate data. It is believed that the hacker gained access to personally identifiable information such as hotel guests’ first and last names, nationality, postal addresses, email addresses, and hotel booking information (hotel name, check-in, and check-out dates). Furthermore, the intruder also obtained payment card details on some, but not all, guests.
FastBooking sent out emails to each affected hotel with the number of affected guests and the type of data the hacker stole. Prince Hotels & Resorts, a chain run out of Japan, said the breach affected over 124,000 guests who stayed at 82 of its hotels. If we do the math, that’s about 1,500 guests per hotel which could mean the breach could possibly affect nearly 6 million individuals.
By now, the latest data breaches and the size of these breaches should not be a surprise to anyone. However, as we learn more about breaches, we start to notice similarities and differences. So, here are our three key takeaways from the FastBooking data breach.
With many data breaches that we have seen over the last year, we have noticed two very disturbing facts. First, some data breaches went unnoticed for a significant amount of time. Second, many companies didn’t notify users for years in some cases. Take the Yahoo data breach for example. Yahoo incurred two separate data breaches; one in 2013 and another in 2014. However, it took Yahoo over two years to notify their users that data breach occurred.
The first thing we noticed about the FastBooking data breach is the very, very short response time. Checkout the short timeline below:
- June 14 – Hacker breaches FastBooking’s system
- June 19 – FastBooking discovers intrusion
- June 19 – FastBooking resolves and closes the data breach
- June 26 – FastBooking notifies all affected parties that a breach occurred
That’s the way a data breach should be handled. Why is this so important? Well, if we take a look at the Yahoo data breach again, the hackers had essentially two years to do whatever they wanted with the stolen information. By responding so quickly to the data breach and informing affected users within 12 days, this would give hackers much less time to do what they please with the personally identifiable information. That is, IF individuals who believe they have been affected take the necessary steps to secure their well-being. We will discuss this further below.
Type of Information Stolen
Like we said before, each data breach allows us to notice trends. As with most data breaches, hackers stole personally identifiable information or, PII. What is PII? Essentially, PII is any data that could potentially help identify who you are or distinguish you from another individual. In other words, PII is exactly what was stolen by the hacker in this breach and many others. Items such as your first and last name, date of birth, social security number, email address, credit or debit card numbers, etc. As you can imagine, someone else having access to all of this information could lead to them being able to steal your identity, use your credit or debit card to purchase whatever they want, or breach your personal accounts (think bank or PayPal accounts). This type of information is extremely valuable whether the hacker wants to use this information to perform malicious acts themselves or whether they want to sell it on the dark web.
While there’s little to nothing the general user or “guest” in this situation can do about preventing their PII from being compromised in a data breach, it is time to react to the situation if you believe your information has even the slightest possibility of being stolen. While it would be an extreme inconvenience to contact your bank and receive a new debit or credit card, that may not be a terrible idea. When payment card details are stolen, hackers will most likely try to purchase a couple of small items. By doing this, they are seeing how close of an eye you are keeping on your account. If those go unnoticed meaning, you don’t notify your bank of the suspicious activity, they will attempt one big purchase and then disappear out of thin air.
In the majority of data breaches that we see, passwords are oftentimes included in the targeted PII by hackers. While this isn’t the case with the FastBooking breach, if you hear of a breach where passwords are believed to be stolen, it’s extremely important to change these. Speaking from experience, if you have ever had a Yahoo account and haven’t changed your password since the data breach, do that now. You never think your account will be at risk but believe me, it’s not worth the trouble to regain access to your Yahoo account and all other accounts associated with it.
As far as the other PII contained in the FastBooking breach (first and last name, nationality, postal address, email addresses, and booking information), there’s absolutely nothing you can do about that. On a good note, it’s very fortunate that social security numbers were not included in the breach. While an individual could still attempt to steal your identity, the social security number is a vital part to doing that.
Lastly, while it may be extremely annoying, you are going to receive an email from every hotel included in the data breach. This email is simply going to notify you of the data breach and will probably include what the company is doing to protect its users in the future.