- A threat actor used an infostealer to access Otelier’s AWS S3 bucket
- The threat actor exfiltrated nearly 8 TB of sensitive data
- Reservations, personally identifiable data and more were all taken
High-profile hotel chains including Marriott and Hilton have lost sensitive customer data as part of a supply chain attack against a partner.
Otelier is a hotel management platform designed to optimize operations, improve guest experiences and streamline property management processes. It is used by more than 10,000 hotels worldwide, from independent properties to leading industry brands such as Hyatt, Wyndham and more.
Malicious actors recently told Bleeping Computer they used an infostealer to obtain the Atlassian login credentials of an Otelier employee. This access was then used to scrape tickets and other data, allowing them to obtain the credentials for S3 buckets, from which the attackers then exfiltrated 7.8 TB of data, including “millions of documents belonging to Marriott”. Among the information were hotel reports, shift audits and accounting data.
Attack confirmed
A Marriott sample apparently included a “wide variety of data, including hotel guest reservations, transactions, employee emails and other internal data.” In some cases, the attackers obtained the names, addresses, phone numbers and email addresses of hotel guests.
Hundreds of thousands of email addresses were reportedly exposed.
Both Otelier and Marriott confirmed these findings.
“Otelier has been in communication with its customers whose information was potentially involved. In response to this incident, we hired a team of leading cybersecurity experts to conduct a comprehensive forensic analysis and validate our systems,” the company said. Bleeping Computer.
“The investigation determined that the unauthorized access was terminated. To help prevent a similar incident from occurring in the future, Otelier disabled the accounts involved and continues to work to improve its cybersecurity protocols.”
Marriott said the crooks first tried to blackmail the company, believing they owned the data, and the news comes shortly after it was hit with a large penalty to settle earlier security breach claims.
