and Expedia Caught in Data Breach

Portrait of Robert Godfrey
Robert Godfrey
Partner, Head of Professional Negligence and Dispute Resolution

Several hotel booking websites have had their customer data potentially exposed after it was found that sensitive data had been stored incorrectly by a company called Prestige Software.

Prestige Software own a channel management platform called Cloud Hospitality, used by online booking websites to automate their hotel booking systems.

The breach came to light after researchers at Website Planet noticed a ‘misconfigured Amazon Web Services (AWS) S3 bucket’, which is a form of cloud-based data storage. This left millions of customers’ personal details exposed, putting them at risk of fraud and cyberattacks.

It’s not yet known whether any customers have fallen victim to a cyberattack, or what the full effect of this GDPR breach could be. But our Data Breach Solicitors are here to help if you find out you’ve been affected.

For free legal advice about making a claim for GDPR Data Breach compensation, get in touch with our Data Breach Solicitors.

Call us on 0808 239 9426 or request a callback

What Personal Data Was Exposed?

Website Planet found that Prestige Software had been incorrectly storing sensitive customer data from as far back as 2013.

This included:

  • Full names
  • National ID numbers
  • Email addresses and phone numbers
  • Credit card details, including the cardholder’s name, their card number, CVV and expiration date
  • Reservation details, including how much customers paid, their reservation number, the number of holiday guests and the dates they stayed

Customers who are worried about their personal data being exposed are being encouraged to contact the company they booked through directly to find out what they’re doing to protect your data.

Which Websites Were Affected?

The report found that many of the world’s largest hotel booking websites were using Cloud Hospitality, including:

  • Agoda
  • Amadeus
  • Expedia
  • Hotelbeds
  • Omnibees
  • Sabre

But Website Planet have stated that they didn’t review all of the exposed files, so it’s likely that there are more websites using Cloud Hospitality who may have also been affected.

What Could the Impact Be?

While there hasn’t been any evidence yet of customers’ sensitive data being exploited, Website Planet said they ‘can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it.’

They also highlighted a few potential ways that this data breach could impact exposed customers in the future. This includes:

  • Credit card fraud and identify theft
  • Hotel guests being targeted by phishing attempts e.g. using details of the hotel they stayed in to sell a convincing scam
  • Malware attacks
  • Blackmail e.g. if a cybercriminal were to find out compromising details about a person’s life and use this against them
  • Reservation takeover e.g. a criminal could ‘take over’ someone’s holiday or pose as a travel agent to trick customers

If you’re worried about any of these things happening to you, you should report your concerns to the company you booked your hotel through and look out for any suspicious activity on your bank accounts and dodgy emails.

Is this a Breach of GDPR?

Even though Prestige Software is used worldwide, they’re subject to EU law because they’re based in Spain. And as they process personal data for people in the UK and across the EU, a breach of this law means they’ve broken GDPR’s data regulations.

If Prestige Software fail to take strict measures to make sure that no more customers are vulnerable, they could face legal action and a huge GDPR fine.

GDPR Data Breach Claims

If you’re a customer of one of the affected websites, such as or Expedia, you might have grounds for a GDPR compensation claim if it’s found that your personal data was breached. We deal with many claims on a No Win, No Fee basis.

Contact our Data Breach Solicitors For a Free Case Assessment

We're happy to help

Monday to Friday 8:30am-7:00pm

0808 239 9426

0808 239 9426

We're happy to call you

Simply click below to arrange the assessment

Request a Free Case Assessment

Contact us for a Free Data Breach Case Assessment

Enter the organisation who has exposed your data

This data will only be used by Simpson Millar in accordance with our Privacy Policy for processing your query and for no other purpose

Simpson Millar Solicitors are a national law firm with over 500 staff and offices in Billingham, Bristol, Cardiff, Catterick, Lancaster, Leeds, Liverpool, London and Manchester.