- A threat actor used a data stealer to gain access to Otelier’s AWS S3 bucket
- Threat actor exfiltrated nearly 8TB of sensitive data
- Reservations, personal identification data and more were taken.
High-profile hotel chains, including Marriott and Hilton, have lost sensitive customer data as part of a supply chain attack against a partner.
Otelier is a hotel management platform designed to optimize operations, improve guest experiences and streamline property management processes. It is used by more than 10,000 hotels worldwide, from independent properties to industry-leading brands such as Hyatt, Wyndham and more.
Malicious actors recently said beepcomputer They used a data thief to obtain the Atlassian login credentials of an Otelier employee. This access was then used to extract tickets and other data, allowing them to obtain credentials for S3 buckets, from which the attackers extracted 7.8 TB of data, including “millions of documents belonging to Marriott.” The information included hotel reports, shift audits and accounting data.
Confirmed attacks
A sample from Marriott apparently included a “wide range of data, including hotel guest reservations, transactions, employee emails, and other internal data.” In some cases, attackers obtained the names, addresses, phone numbers, and email addresses of hotel guests.
Hundreds of thousands of email addresses were said to have been exposed.
Both Otelier and Marriott confirmed these findings.
“Otelier has been in communication with its customers whose information was potentially involved. In response to this incident, we engaged a team of leading cybersecurity experts to conduct a comprehensive forensic analysis and validate our systems,” the company said. beepcomputer.
“The investigation determined that the unauthorized access was terminated. To help prevent a similar incident from occurring in the future, Otelier has disabled the accounts involved and continues to work to improve its cybersecurity protocols.”
Marriott said the criminals first attempted to extort the company, thinking it owned the data, and the news comes shortly after it was hit with a significant fine to resolve previous claims of security breaches.
