Open AWS S3 bucket leaked hotel booking credit card authorizations

Groupize denies report by researchers at Kromtech, but locks down repo anyway


UPDATE Another day, another misconfigured AWS storage bucket leaking corporate data, this time from hotel booking service Groupize.

The find was made by Kromtech Security Center researchers and is detailed at MacKeeper.

The discovery has sparked a spat between Kromtech and Groupize, with the latter denying that anything sensitive leaked.

Au contraire, writes MacKeeper's Bob Diachenko, claiming that before they were locked down on August 15 the exposed folders included nearly 3,000 documents detailing “contracts or agreements between hotels, customers and Groupize, including credit cards’ payment authorization forms, with full CC#, expiration date and CVV code”, a leads folder with more than 3,000 spreadsheets, and another folder with more than 32,000 “menus, images and more”.

Diachenko says Kromtech first notified Groupize on August 9.

The company told Kaspersky's Threatpost it's grateful for Kromtech shedding “light on a potential vulnerability”, and added that it's been in touch with customers about the issue and "... steps we’ve taken to further secure our systems.”

The Register has contacted Groupize for comment.

AWS S3 leaks, due to customer configuration blunders, are becoming the flavour of 2017. Verizon leaked 14 million customer records, and other open buckets researchers have spotted include those belonging to Dow Jones, voting machine supplier ES&S (both found by former MacKeeper security bod Chris Vickery).

In his new job at UpGuard, Vickery also turned up a bunch of sensitive US geospatial data, while Kromtech went public about WWE fan data leaking in July.

With white-hat-plus-dog Googling for “password AWS”, we expect plenty of others will emerge, even though the default configuration for new AWS storage is that it's private.

Earlier this month, Amazon unveiled its “patrol bot” service Macie, which tries to identify and help shut down unsecured corporate data repositories. ®

Update Groupize has contacted The Reg with the following information:

"The system that used the AWS bucket didn’t process any credit cards. A very small number of credit card authorization forms were incorrectly emailed to hotels and stored in their folders, which is not PCI compliant and how the hotel industry works. Credit Card Authorization forms are to be faxed to hotels to be PCI compliant. After an audit, we informed the very, very limited number of hotels out of 300,000 hotels in our database that these forms existed and removed them. "

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Amazon not happy with antitrust law targeting Amazon
    We assume the world's smallest violin is available right now on Prime

    Updated Amazon has blasted a proposed antitrust law that aims to clamp down on anti-competitive practices by Big Tech.

    The American Innovation and Choice Online Act (AICOA) led by Senators Amy Klobuchar (D-MN) and House Representative David Cicilline (D-RI) is a bipartisan bill, with Democrat and Republican support in the Senate and House. It is still making its way through Congress.

    The bill [PDF] prohibits certain "online platforms" from unfairly promoting their own products and services in a way that prevents or hampers third-party businesses in competing. Said platforms with 50 million-plus active monthly users in the US or 100,000-plus US business users, and either $550 billion-plus in annual sales or market cap or a billion-plus worldwide users, that act as a "critical trading partner" for suppliers would be affected. 

    Continue reading
  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • Amazon accused of obstructing probe into deadly warehouse collapse
    House Dems demand documents from CEO on facility hit by tornado – or else

    Updated The US House Oversight Committee has told Amazon CEO Andy Jassy to turn over documents pertaining to the collapse of an Amazon warehouse – and if he doesn't, the lawmakers say they will be forced to "consider alternative measures."

    Penned by Oversight Committee members Alexandria Ocasio-Cortez (D-NY), Cori Bush (D-MO) and committee chairwoman Carolyn B. Maloney (D-NY), the letter refers to the destruction of an Edwardsville, Illinois, Amazon fulfillment center in which six people were killed when a tornado hit. It was reported that the facility received two weather warnings about 20 minutes before the tornado struck at 8.27pm on December 10; most staff had headed to a shelter, some to an area where there were no windows but was hard hit by the storm.

    In late March, the Oversight Committee sent a letter to Jassy with a mid-April deadline to hand over a variety of documents, including disaster policies and procedures, communication between managers, employees and contractors, and internal discussion of the tornado and its aftermath.

    Continue reading
  • Engineer sues Amazon for not covering work-from-home internet, electricity bills
    And no, I'm not throwing out this lawsuit, says judge

    Amazon's attempt to dismiss a lawsuit, brought by one of its senior software engineers, asking it to reimburse workers for internet and electricity costs racked up while working from home in the pandemic, has been rejected by a California judge.

    David George Williams sued his employer for refusing to foot his monthly home office expenses, claiming Amazon is violating California's labor laws. The state's Labor Code section 2802 states: "An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer."

    Williams reckons Amazon should not only be paying for its techies' home internet and electricity, but also for any other expenses related to their ad-hoc home office space during the pandemic. Williams sued the cloud giant on behalf of himself and over 4,000 workers employed in California across 12 locations, arguing these costs will range from $50 to $100 per month during the time they were told to stay away from corporate campuses as the coronavirus spread.

    Continue reading
  • Amazon’s Kindle bookstore to quit China
    Local authorities insist the next chapter is not a collapse in foreign investment

    Amazon.com has decided to end its Kindle digital book business in China.

    A statement posted to the Kindle China WeChat account states that Amazon has already stopped sending new Kindle devices to resellers and will cease operations of the Kindle China e-bookstore on June 30, 2023. The Kindle app will last another year, allowing users to download previously purchased e-books. But after June 30, 2024, Kindle devices in China won’t be able to access content.

    An accompanying FAQ doesn’t offer a reason for the decision, but an Amazon spokesperson told Reuters “We periodically evaluate our offerings and make adjustments, wherever we operate.”

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022