Teletext Holidays exposed PII of over 200,000 customers for over 3 years
3 September 2019
The failure of Teletext Holidays, a popular travel booking website, in securing over 212,000 audio files led to the exposure of personal details of over 200,000 UK customers to third parties for over three years.
The exposure took place when Teletext Holidays, also known as Truly Travels, uploaded over 212,000 audio files on an Amazon web server but failed to secure the database with a password. According to Verdict, the files were in all probability stored in the unsecured database for over three years before it was discovered.
The audio files contained recordings of customers booking their holidays over the phone and sharing their personal details with the company to complete their individual bookings. These details included names, email addresses, home addresses, telephone numbers, dates of birth, and payment card details.
Teletext Holidays leak did not impact payment card details
Including the audio files, the unsecured database contained 532,000 files. However, the audio files only revealed partial payment card numbers, indicating that the data breach was only limited to personally identifiable information and not financial information of travellers.
The only reason payment card numbers were not revealed was that travellers were asked to type in their card numbers instead of reading them out over the phone.
The audio recordings also contained information about travellers’ schedules, flight timings, cost of travel packages, duration of holidays, and location of destinations.
While personal details of family members, children, and co-passengers of customers were also exposed via the audio files, around 9,000 such recordings were also accompanied by text transcripts, enabling unauthorised parties to steal data from the server with greater ease.
The unsecured Amazon Web Services server was discovered by Verdict, following which it informed Teletext Holidays about the exposure. All 532,000 files stored in the server were promptly removed soon after the firm was informed.
“We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future,” the company told Verdict.
Commenting on the massive data exposure by Teletext Holidays, Bill Conner, CEO of Sonicwall, said that since Personally Identifiable Information (PII) is highly sought after by cybercriminals for monetary gain, companies should implement security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.
“Organisations should learn from breaches like this by taking the opportunity to ensure there are no gaps in their systems for criminals to leverage, stopping them at the edge before they have a chance to infiltrate the network. Once they’re in, they’re able to move laterally to identify the sensitive data that’s highly valued on the dark web,” he added.
Hotels regularly leaking customer details to third parties
This is not the first time that personal information of hundreds of thousands of travellers has been leaked, unintentionally exposed, or deliberately shared by holiday booking firms or hotels with third parties. Earlier this year, research by Symantec Corporation revealed that websites of as many as 67 percent of more than 1,500 hotels in 54 countries leaked booking reference codes to third-party sites such as advertisers and analytics companies.
The sharing of booking reference codes by hundreds of hotels allowed third parties to “log into a reservation, view personal details, and even cancel the booking altogether.”
Candid Wueest, principal threat researcher at Symantec Corporation, noted that a majority of hotel websites also leaked personally identifiable information of their guests that included full names, email addresses, postal addresses, phone numbers, passport numbers, and last four digits of credit card, card type, and expiration dates.