European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

Gekko Group, a subsidiary of Accor Hotels, has suffered a major data breach that may have affected a customer base of 600,000 hotels worldwide. Gekko Group is a France-based and leading European B2B hotel booking platform that also owns several smaller hospitality brands. These include Teldar Travel & Infinite Hotel, the two brands most exposed in the database.

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered the data breach and found the database exposed contained over 1 terabyte of data. This included data from Gekko Group brands and their clients, as well as external websites and platforms which their systems communicate with, such as Booking.com.

Examples of Exposed Data

As Gekko Group’s brands serve very different functions, there was a huge variety in types of data the research team accessed, including:

Hotel and transport reservations
Credit card details
Personally Identifiable Information (PII) of various parties
Login credentials for client accounts on Gekko Group-owned platforms

As these businesses interact with many external platforms in the travel and hospitality industries, the database also contained data originating from platforms outside of the Gekko Group umbrella. The research team viewed database entries in numerous languages, originating from many different countries, mostly in Europe. These included citizens of the following countries:

Spain
The United Kingdom
The Netherlands
Portugal
France
Belgium
Italy
Israel

Travel Reservations & PII

The data exposed in these reservations included:

Full names
Email addresses
Home addresses
PII of children
Travel dates
Destination hotels
Reservation details (no. of guests, room types, etc.)
Price of stays
Data from external reservations platforms (ie. Booking.com)

External platforms whose data was exposed due to interaction with Gekko Group-owned platforms included:

Occius – Spanish travel platform
Infra – French creative agency
Smile – French digital experience and web development agency
Mondial Assistance – Polish travel platform
Selectour.com – French online travel agency
Booking.com – International hotel booking platform
Hotelbeds.com – International hotel booking platform

Aside from hotel reservations, the exposed data also included other forms of travel and hospitality-based reservations. These included tickets to Eurodisney, guest transfers between the hotels and airports, excursions and tours and tickets for the Eurostar train.

Financial Details Exposed

Along with the exposed PII data, many entries contained invoices exposing financial details of travel agents and their customers.The database contained invoices attached to certain reservations, made using credit cards belonging to agents and/or their clients. These included regular, virtual and prepaid credit cards.

For full details on the data breach, visit the vpnMentor's website.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Are you ready to elevate your security game and take charge of your data-driven decision-making? As today's industry leaders know, data is key to driving impact and success.