Accor Hotels suffers from data breach; users’ personal information gets leaked

Information security specialists from firm vpnMentor, led by expert Noam Rotem, discovered a data breach that affected Gekko Group, a subsidiary brand of Accor Hotels. Gekko Group is a leading European B2B hotel booking platform that also owns several smaller brands.

It seems that the database compromised during this incident hosted a considerable amount of information from Gekko Group and its customers, as well as data related to external sites and platforms such as

Information security experts consider this incident to be a serious threat to the security of compromised information, as a considerable amount of business and customer data from multiple hosting services has been exposed.

In total, more than 1 TB of information was compromised from Gekko Group, affiliated companies and customers, including details such as:

  • Hotel and transport reservations
  • Customer payment card details
  • Personally identifiable information belonging to users and members of companies
  • Login credentials for customer accounts on platforms owned by Gekko Group

Most of the information exposed originated from two different platforms, owned by Gekko Group: Teldar Travel and Infinite Hotel. These two platforms perform separate tasks related to reservations and user data. Each time a travel agent used the platform to make a reservation for a customer an entry was recorded in the Gekko Group database.

According to information security specialists, each reservation record exposed includes data such as:

  • Full names
  • Address
  • Email addresses
  • Personal information of family members and companions (including minors)
  • Travel dates
  • Destination hotel

In addition to users’ personal information, many reservation records included details such as invoices, card numbers, among other sensitive financial data.

According to information security specialists of the International Institute of Cyber Security (IICS), bad security practices not only expose the company, but also users, who could face multiple variants of cyberattacks, such as identity theft to charge exposed cards, phishing, among others.

Because Accor Hotels and Gekko Group are located in France, this incident will be investigated under the rules set out in the European Union General Data Protection Regulation (GDPR); as this is a significant leak, the company now faces possible class actions and fines as set out in the new data protection legislation.