Customers of some of the world’s best-known hotel chains have had their personal information compromised after a threat actor targeted an industry software supplier, it has emerged.
The threat actor appears to have gained unauthorized access to hotel management software provider Otelier. The firm’s cloud-based software helps hotels optimize their operations. It claims to support “the world’s best hospitality brands, owners, and operators across over 10,000 properties.”
According to data breach notification site HaveIBeenPwned (HIBP), a threat actor gained access to Otelier systems in 2024, exfiltrating customer data from brands including Marriott, Hilton and Hyatt.
HIBP added almost half a million unique accounts from the breach to its database over the weekend.
“The data included 437k customer email addresses (a further 868k generated email addresses from the booking.com and Expedia platforms were not loaded into HIBP), names, physical addresses, phone numbers, booking information related to travel plans, purchases recorded by the platform and in a small number of cases, partial credit card data,” the HIBP entry noted.
“The data was provided to HIBP by a source who requested it be attributed to ayame@xmpp.jp.”
Read more on hotel breaches: InterContinental Hotels Confirms Cyber-Attack After Two-Day Outage.
Threat researchers at dark web monitoring firm WhiteIntel took to social media to reveal more about the incident, claiming that it likely stemmed from infostealer malware.
“We have uncovered several info-stealer-driven credential leaks that appear to grant unauthorized access to Otelier’s GitHub and Atlassian instances,” the company said in a post on X (formerly Twitter). “Risk of infostealer related breaches getting higher every day.”
In October 2024, threat intelligence researchers at DarkWebInformer warned that a threat actor with the moniker “worry” was selling on BreachForums a database of records stolen from Otelier – formerly known as MyDigitalOffice (MDO).
The incident highlights the challenges facing organizations in mitigating risk across extensive digital supply chains. The number of companies impacted by supply chain breaches threats more than tripled in Q1 2024 versus the same period in 2023, according to non-profit the Identity Theft Resource Center (ITRC).
The hotel industry is a particularly attractive target, given the large volumes of personal and financial guest data it stores.
in 2024, Marriott agreed to pay a $52m settlement to 50 US states relating to a large multi-year data breach impacting over 131 million American customers.
Infosecurity has contacted Otelier for more information on the incident.
