Hotel management platform Otelier has suffered a major data breach, exposing millions of guest reservations and personal details from well-known hotel brands such as Marriott, Hilton, and Hyatt.
The breach, which began in July 2024 and persisted until October, resulted in nearly 8TB of data being stolen from the company's Amazon S3 cloud storage.
Otelier, formerly known as MyDigitalOffice, provides cloud-based hotel management solutions to over 10,000 hotels worldwide, handling reservations, transactions, nightly reports, and invoicing. The breach was first reported by threat actors who claimed they had gained unauthorized access to Otelier's systems through stolen credentials.
According to BleepingComputer, the attackers initially compromised Otelier's Atlassian server using an employee's credentials, which were stolen through information-stealing malware. Once inside the Atlassian system, the attackers scraped internal support tickets and documentation, uncovering further credentials that granted them access to Otelier's Amazon S3 buckets. With this access, the hackers reportedly downloaded 7.8TB of sensitive data, including:
- Nightly hotel reports
- Shift audits
- Accounting data
- Hotel guest reservations and transaction records
- Employee emails and internal communications
Security researcher Troy Hunt, who reviewed samples of the stolen data, confirmed that it includes personal information such as guest names, addresses, phone numbers, and email addresses. Hunt also noted that a reservations table contained approximately 39 million rows, while a users table held around 212 million entries, though many were duplicates.
Marriott, Hilton, and Hyatt impacted
Marriott confirmed that the breach affected its data stored within Otelier's systems, prompting the company to suspend automated services provided by Otelier while the investigation continues. However, Marriott emphasized that its own internal systems were not compromised.
“Once we were made aware of this incident involving Otelier, we immediately contacted the vendor, which works with numerous hotel companies, and confirmed that they were working with cybersecurity experts to investigate a security incident that impacted their systems,” a Marriott spokesperson told BleepingComputer.
The breach also included records tied to Hyatt, Hilton, and Wyndham, though these companies have not yet commented on the incident.
Extortion attempt and data exposure
The attackers initially attempted to extort Marriott, believing the stolen data belonged directly to the hotel chain. They left ransom notes requesting cryptocurrency payments in exchange for not leaking the data. However, no communication occurred, and the hackers reportedly lost access in September after Otelier rotated credentials.
Despite Marriott's claim that no highly sensitive information was exposed, samples of the breached data reviewed by BleepingComputer suggest otherwise. No passwords or billing information appear to have been stolen, but the exposed data could still be exploited for targeted phishing attacks. In October 2024, the FTC imposed a $52 fine on the hotel giant for multiple security lapses occurring between 2014 and 2020.
The stolen data from this latest breach is being added to Have I Been Pwned, allowing affected individuals to check if their email addresses were included in the breach. However, the alerting service has not yet circulated notices to impacted individuals.
Given the nature of the exposed data, individuals who have stayed at hotels using Otelier's services should remain vigilant for phishing emails and scamming attempts. Additionally, watch for any unusual activity related to hotel loyalty programs or accounts and enable multi-factor authentication on hotel-related accounts to add an extra layer of security.
Apple’s CUPS Printing System Vulnerable to Spoofing Attacks
Leave a Reply