Introduction
A significant data breach involving the hotel management software provider Otelier has compromised the personal information of customers from major hotel chains, including Marriott [3] [4] [6] [7], Hilton [1] [2] [3] [4] [5] [6] [7], and Hyatt [2] [3] [4] [6] [7]. This breach highlights the vulnerabilities in cybersecurity practices and the potential risks to personal data.
Description
Customers of major hotel chains [7], including Marriott [3] [4] [6] [7], Hilton [1] [2] [3] [4] [5] [6] [7], and Hyatt [2] [3] [4] [6] [7], have had their personal information compromised due to a significant data breach involving the hotel management software provider Otelier [7]. The breach, which began on July 1, 2024, and continued through October [4] [6], was initiated when threat actors exploited stolen employee credentials to gain unauthorized access to Otelier’s Amazon S3 cloud storage, exfiltrating nearly 8TB of sensitive data from over 10,000 hotels. This incident exposed millions of guests’ personal information [4] [6], including approximately 436,855 customer records containing email addresses, names [3] [4] [5] [6] [7], physical addresses [3] [7], phone numbers [3] [4] [5] [6] [7], booking information [3] [4] [7], and some abbreviated credit card details [5]. Additionally, there were 868,000 generated email addresses from booking platforms like Booking.com and Expedia that were not included in the data breach notification site HaveIBeenPwned (HIBP) [7].
The leaked information poses a significant risk for targeted phishing attacks [5], prompting affected individuals to change passwords [5], monitor for unauthorized changes [5], and consider enabling multi-factor authentication or using passkeys [5]. Cybersecurity expert Troy Hunt noted that the breach involved a vast dataset [6], with 39 million rows in the reservations table and 212 million in the users table [6], identifying 1.3 million unique email addresses among the exposed data [6]. While passwords and billing details were reportedly not compromised [6], the personal information could be exploited for phishing campaigns [6], necessitating vigilance among affected individuals [6].
The breach was facilitated by the compromise of Otelier’s Atlassian server, allowing attackers to scrape tickets and access sensitive information. The cybercriminals attempted to extort Marriott by demanding ransom payments in cryptocurrency to prevent the publication of the stolen data, mistakenly believing the S3 buckets belonged to the hotel chain [4]. Both Otelier and Marriott have acknowledged the breach [1], with Otelier stating it has communicated with affected customers and engaged cybersecurity experts for a forensic analysis [1]. Marriott confirmed the breach’s impact and suspended automated services provided by Otelier during the ongoing investigation [4] [6]. The company has since disabled the compromised accounts and is enhancing its cybersecurity measures [1]. The data breach was attributed to a source identified as ayame@xmpp.jp [7], and it was reported that the attackers initially believed Marriott owned the stolen data. This incident underscores the critical need for robust cybersecurity practices to protect against similar threats [3].
Conclusion
The data breach involving Otelier serves as a stark reminder of the importance of robust cybersecurity measures to protect sensitive information. Affected individuals are advised to remain vigilant against potential phishing attacks and to adopt enhanced security practices, such as multi-factor authentication [5]. Organizations must prioritize cybersecurity to prevent similar incidents in the future, ensuring the protection of personal data and maintaining customer trust.
References
[1] https://www.techradar.com/pro/security/millions-of-hotel-guest-reservations-leaked-in-otelier-data-breach
[2] https://www.borncity.com/blog/2025/01/20/cyber-vorfall-bei-hotel-management-plattform-otelier-daten-abgezogen/
[3] https://www.hookphish.com/blog/critical-alert-recent-otelier-data-breach/
[4] https://unsafe.sh/go-290009.html
[5] https://www.heise.de/en/news/Hilton-Hyatt-Marriott-437-000-data-records-from-management-platform-at-HIBP-10248498.html
[6] https://www.archyde.com/otelier-data-breach-exposes-millions-of-hotel-guests-personal-info-and-reservations/
[7] https://www.infosecurity-magazine.com/news/data-half-million-hotel-guests/
