An open S3 bucket left misconfigured by OwlTing exposed the personal information of about 765000 guests, majorly from Taiwan. OwlTing is a blockchain technology solutions company that serves global travel, hospitality and other e-commerce sectors through its solutions. The misconfigured S3 bucket contained over 16000 CSV and XLSX documents holding the personal information of guests who made different hotel bookings. The bucket was discovered by the researcher on 29th July 2024, and the issue was remediated on 19th September.
The leaked information included full-names, phone numbers, and hotel reservation details which can be misused by malicious elements to carry identity theft etc. The leaked files had only about 3000 email addresses, which is very small compared to the huge list of customers. About 92% of the compromised customers were from Taiwan, followed by guests from Hong Kong, Japan, Malaysia, and more.
The compromised data can be used by hackers to curate sophisticated phishing attacks, which are hard to distinguish from genuine ones. An example could be using these records to craft an email or SMS referencing their previous stays or vacations and then sending some offers through a phishing link. The probability of customers trusting such a link would be much higher as the malicious actors may use customers’ information to make it look like a genuine offer from the resort or hotel.
Organizations are expected to maintain baseline configurations to all their systems however, following configuration guidelines can be used for S3 buckets.
- Restrict public access to S3 buckets by implementing proper authorization.
- Implement Server-side Encryption for data at rest.
- Use AWS KMS to store the keys.
- Conduct regular audits and monitor the access logs for any traces of unauthorized access attempts.
