Open AWS S3 bucket leaked hotel booking credit card authorizations

UPDATE Another day, another misconfigured AWS storage bucket leaking corporate data, this time from hotel booking service Groupize.

The find was made by Kromtech Security Center researchers and is detailed at MacKeeper.

The discovery has sparked a spat between Kromtech and Groupize, with the latter denying that anything sensitive leaked.

Au contraire, writes MacKeeper's Bob Diachenko, claiming that before they were locked down on August 15 the exposed folders included nearly 3,000 documents detailing “contracts or agreements between hotels, customers and Groupize, including credit cards’ payment authorization forms, with full CC#, expiration date and CVV code”, a leads folder with more than 3,000 spreadsheets, and another folder with more than 32,000 “menus, images and more”.

Diachenko says Kromtech first notified Groupize on August 9.

The company told Kaspersky's Threatpost it's grateful for Kromtech shedding “light on a potential vulnerability”, and added that it's been in touch with customers about the issue and "... steps we’ve taken to further secure our systems.”

The Register has contacted Groupize for comment.

AWS S3 leaks, due to customer configuration blunders, are becoming the flavour of 2017. Verizon leaked 14 million customer records, and other open buckets researchers have spotted include those belonging to Dow Jones, voting machine supplier ES&S (both found by former MacKeeper security bod Chris Vickery).

In his new job at UpGuard, Vickery also turned up a bunch of sensitive US geospatial data, while Kromtech went public about WWE fan data leaking in July.

With white-hat-plus-dog Googling for “password AWS”, we expect plenty of others will emerge, even though the default configuration for new AWS storage is that it's private.

Earlier this month, Amazon unveiled its “patrol bot” service Macie, which tries to identify and help shut down unsecured corporate data repositories. ®

Update Groupize has contacted The Reg with the following information:

"The system that used the AWS bucket didn’t process any credit cards. A very small number of credit card authorization forms were incorrectly emailed to hotels and stored in their folders, which is not PCI compliant and how the hotel industry works. Credit Card Authorization forms are to be faxed to hotels to be PCI compliant. After an audit, we informed the very, very limited number of hotels out of 300,000 hotels in our database that these forms existed and removed them. "