- A malicious actor used an infostealer to access Otelier’s AWS S3 bucket.
- Malicious actor exfiltrated nearly 8TB of sensitive data
- Reservations, personally identifiable data and more have all been taken into account.
Leading hotel chains including Marriott and Hilton lost sensitive guest data in a supply chain attack on a partner.
Otelier is a hotel management platform designed to optimize operations, improve guest experience and streamline property management processes. It is used by over 10,000 hotels worldwide, ranging from independent properties to major industry brands such as Hyatt, Wyndham, and more.
Malicious actors recently claimed BeepComputer they used an information stealer to steal the Atlassian login credentials of an Otelier employee. This access was then used to retrieve tickets and other data, allowing them to obtain S3 bucket IDs, from which the attackers then exfiltrated 7.8TB of data, including “millions of documents belonging to Marriott.” The information included hotel reports, team audits and accounting data.
Confirmed attacks
A Marriott sample apparently included a “wide range of data, including hotel guest reservations, transactions, employee emails and other internal data.” In some cases, the attackers obtained the names, addresses, phone numbers and email addresses of hotel guests.
Hundreds of thousands of email addresses were reportedly exposed.
Both Otelier and Marriott confirmed these findings.
“Otelier has been in communication with its customers whose information was potentially implicated. In response to this incident, we hired a team of leading cybersecurity experts to conduct a comprehensive forensic analysis and validate our systems,” said Otelier. the company said. BeepComputer.
“The investigation determined that the unauthorized access was terminated. To prevent a similar incident from occurring in the future, Otelier has disabled the affected accounts and continues to work to improve its protocols cybersecurity.”
Marriott said the scammers first tried to extort the company, thinking it had the data, and the news comes shortly after it was hit with a significant penalty to settle previous claims for security breach.
