In 2024, a significant data breach was reported involving Otelier, a cloud-based hotel management software provider that services prominent hotel brands, including Marriott, Hilton, and Hyatt. The breach was linked to unauthorized access to Otelier’s systems, which are used to optimize hotel operations for over 10,000 properties worldwide. A threat actor gained access to Otelier’s data, exfiltrating a range of sensitive customer information. This breach compromised a total of 437,000 customer email addresses, along with physical addresses, phone numbers, booking details, travel plans, and even partial credit card data in some cases.
The data breach was made public by HaveIBeenPwned (HIBP), which added the compromised information to its database.
The data breach was made public by HaveIBeenPwned (HIBP), which added the compromised information to its database. According to HIBP, the breach also involved a significant number of email addresses linked to online booking platforms like Booking.com and Expedia, though they were not included in the database update. The breach has raised significant concerns over the security of third-party software providers in the hospitality industry, with some researchers pointing to the use of infostealer malware as a possible cause behind the unauthorized access.
Further investigation into the breach revealed that the threat actor likely used infostealer-driven credential leaks to gain access to Otelier’s systems, which included its GitHub and Atlassian instances. In October 2024, researchers from DarkWebInformer uncovered a database of stolen records being sold on BreachForums by a threat actor known as “worry.” This incident has highlighted the growing risk of data breaches stemming from software supply chains and the increasing number of cyberattacks targeting the hospitality sector, which holds vast amounts of personal and financial guest information.
The breach also comes on the heels of other notable incidents in the hotel industry. In 2024, Marriott reached a $52 million settlement over a multi-year data breach affecting over 131 million American customers. The Otelier incident underscores the growing challenges organizations face in protecting sensitive data, especially in industries heavily reliant on digital systems and third-party vendors. The breach also reflects a broader trend in which cybercriminals are targeting digital supply chains as they continue to exploit vulnerabilities in widely-used software platforms.
Reference: