- A threat actor used an infostealer to gain access to Otelier’s AWS S3 bucket
- The threat actor exfiltrated almost 8TB of sensitive data
- Reservations, personally identifiable data, and more, were all taken
High-profile hotel chains, including Marriott and Hilton, have had sensitive customer data lost as part of a supply-chain attack against a partner.
Otelier is a hotel management platform designed to optimize operations, enhance guest experiences, and streamline property management processes. It is used by more than 10,000 hotels worldwide, ranging from independent properties, to leading industry brands such as Hyatt, Wyndham, and more.
Malicious actors recently told BleepingComputer they used an infostealer to grab Atlassian login credentials from an Otelier employee. This access was then used to scrape tickets and other data, allowing them to obtain the credentials for S3 buckets, from where the attackers then exfiltrated 7.8TB of data, including “millions of documents belonging to Marriott”. Among the information was hotel reports, shift audits, and accounting data.
Attacks confirmed
A Marriott sample apparently included a “broad range of data, including hotel guest reservations, transactions, employee emails, and other internal data.” In some instances, the attackers obtained hotel guests’ names, addresses, phone numbers, and email addresses.
Hundreds of thousands of email addresses were said to have been exposed.
Both Otelier and Marriott confirmed these findings.
“Otelier has been in communications with its customers whose information was potentially involved. In response to this incident, we hired a team of leading cybersecurity experts to perform a comprehensive forensic analysis and validate our systems,” the company told BleepingComputer.
“The investigation determined that the unauthorized access was terminated. In order to help prevent a similar incident from occurring in the future, Otelier disabled the involved accounts and continues to work to enhance its cybersecurity protocols.”
Marriott said the crooks first tried to extort the company, thinking it owned the data, and the news comes shortly after it was hit with a major penalty to settle previous security breach claims.