- CyberNews researchers have discovered a major data leak
- The dataset contained information from over 24 million customers. It probably belonged to the Honotel hotel chain
A leaked data set containing over 24 million hotel records has been discovered by CyberNews researchers, which included names, emails, phone numbers and detailed stay information such as arrival time, number of guests and price paid.
There are strong indications that the dataset belongs to the Honotel Group, a French hospital investment and management company.
The data specifically mentions ‘SITE HONOTEL’, researchers confirmed, as well as booking platforms such as Booking.com – suggesting the leaked database may be part of Honotel’s booking management system.
Guests at risk
Researchers discovered the suspected Honotel leak on October 4, 2024, and the leak was closed on October 7, 2024, so at least the organization acted quickly once the notice was sent.
It is not clear how long the data was available or whether threat actors discovered or stole anything, but the information was discovered on an unprotected Elasticsearch server and Kibana interface.
This puts both the customer and the company at risk. For the customer, the risk when Personally Identifiable Information (PII) is compromised is the risk of fraud and identity theft, as malicious actors can use the data to take out loans, bank accounts or even develop social engineering attacks against victims.
For the company, like the FTC fines, European companies face GDPR regulations, which can result in penalties of up to 4% of a company’s global annual revenue if security best practices are not in place to protect PII.
This comes not long after major incidents prompted the FTC to order the Marriott and Starwood hotel chains to implement more robust security measures after 344 million customers were left exposed in a massive data breach. Marriott systems were exposed for up to four years, earning the company a $52 million fine from the FTC in 2024.
