Prestige Software, a Spain-based hotel channel management platform used by major online travel agencies including Hotels.com, Booking.com, and Expedia, left a misconfigured Amazon Web Services S3 bucket publicly accessible without any authentication. The exposure was discovered and disclosed by Website Planet researchers on November 6, 2020. The S3 bucket contained 24.4 GB of data comprising over 10 million files, with records dating back to 2013 — approximately seven years of hotel reservation data.

The exposed records contained highly sensitive guest and payment information: full names, phone numbers, email addresses, national ID numbers, full credit card numbers (including cardholder names, CVV codes, and expiration dates), reservation numbers, check-in and check-out dates, nightly room rates, number of guests, and special requests. The S3 bucket was still live and actively receiving new records at the time of discovery, with over 180,000 records uploaded in August 2020 alone.

The breach violated PCI DSS (Payment Card Industry Data Security Standard) requirements, which prohibit storing unencrypted CVV codes and mandate strict controls over full card numbers. The presence of full card data including CVVs means the exposed records could be used directly for card-not-present fraud without further processing.

Website Planet contacted AWS directly to expedite resolution; the bucket was secured the following day. Prestige Software serves as a channel manager — a middleware platform that synchronizes hotel inventory and reservations across multiple OTA (Online Travel Agency) channels. This architectural role means a single misconfiguration at Prestige cascaded exposure across guests of numerous hotel brands and OTA partners who had no visibility into the vendor’s storage practices.

The incident is classified as an inadvertent data exposure rather than an active intrusion. No CVEs apply — the root cause was a failure to apply access controls to an S3 bucket. The breach affected an estimated millions of hotel guests worldwide across multiple hotel brands and booking platforms, though exact victim counts were not publicly disclosed by Prestige Software.