Skip to Content
© Albertshakirov | Dreamstime.com
Security & privacy

Credit card info of millions of guests leaked in travel site data breach

If you’ve traveled any time since 2013, it might be time to check your bank accounts. Three of the web’s biggest travel sites have leaked personal and financial data for millions of users, including payment card details.

As with many other data leaks, traveler information was stored in a database with no form of security or protection. Hackers who came across it could have stolen the data without anyone knowing. Tap or click here for details on another recent database leak.

Victims of the leak may be at risk of having their card numbers stolen. Scammers may also begin targeting leaked email addresses with malware and phishing campaigns. Fortunately, there are a few things you can do to protect yourself and your money.

Hotels.com, Booking.com and Expedia.com suffer data leak of more than 10 million travelers

Prestige Software is a Spanish developer that owns reservation software called Cloud Hospitality. It’s designed to help automate hotel listings on websites like Hotels.com and Expedia.com for online booking.

Recently, security researchers from Website Planet found that Cloud Hospitality stored information from more than 10 million travelers on an unsecured database with no password protection. The data includes payment information, addresses, names and ID numbers.

Reservation details were also exposed that include travel dates and hotel locations.

The exposed information dates back as far as 2013, which means there is almost a decade’s worth of travel information up for grabs on the internet. The database featured at least 180,000 records from August 2020 alone.

Website Planet alerted Amazon Web Services, who hosted the database, about the security hole. AWS removed it a day later, but nobody is sure how long the database was up or whether or not cybercriminals got access to it.

We’ll assume the data is already up for sale on Dark Web marketplaces to be on the safe side.

Tap or click here to see how much your private data sells for on the Dark Web.

Am I affected by the leak? What can I do to protect my information?

If you booked a trip or hotel stay through any of the following websites between 2013 and now, it’s time to take some security precautions to protect yourself and your data:

  • Agoda
  • Amadeus
  • Booking.com
  • Expedia
  • Hotels.com
  • Hotelbeds
  • Omnibees
  • Sabre
  • Plus some other small travel websites not mentioned in Website Planet’s report

Because some of the data from the leak include email addresses and names, be on the lookout for more spam and phishing messages coming to your inbox. Be skeptical about any email you receive, and never click on links from senders you don’t know.

If you think you’re at risk, your biggest priority is to protect your cards and bank accounts. Call your bank, financial institution or card-issuer and let them know that your card was included in a data leak.

Your bank will now watch your account for fraud. Ensure that the bank also issues you a new card and closes your current one so it can’t be used.

You may also want to perform a credit freeze to prevent any new accounts from being opened in your name. Tap or click here to see how to set up a credit freeze.

Next, check your bank apps and set up security features like two-factor authentication to prevent any fraudulent logins.

Tap or click here to see how to set up 2FA for your banks.

Finally, if you have any upcoming travel plans booked through any of these websites, confirm your reservation with the hotel and let front desk personnel know that your account was compromised.

If you don’t play it safe, cybercriminals may be able to change your reservation details and take a vacation on your dime. Don’t give them a chance.

Stop robocalls for good with Kim’s new eBook

Robocalls interrupt us constantly and scam Americans out of millions of dollars every year. Learn Kim's best tricks for stopping annoying robocalls in this handy guide.

Get the eBook