Gekko Group, a subsidiary of Accor Hotels, has suffered a major data breach that may have affected a customer base of 600,000 hotels worldwide. Gekko Group is a France-based and leading European B2B hotel booking platform that also owns several smaller hospitality brands. These include Teldar Travel & Infinite Hotel, the two brands most exposed in the database.

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered the data breach and found the database exposed contained over 1 terabyte of data. This included data from Gekko Group brands and their clients, as well as external websites and platforms which their systems communicate with, such as Booking.com.

Examples of Exposed Data

As Gekko Group’s brands serve very different functions, there was a huge variety in types of data the research team accessed, including:

  • Hotel and transport reservations
  • Credit card details
  • Personally Identifiable Information (PII) of various parties
  • Login credentials for client accounts on Gekko Group-owned platforms

As these businesses interact with many external platforms in the travel and hospitality industries, the database also contained data originating from platforms outside of the Gekko Group umbrella. The research team viewed database entries in numerous languages, originating from many different countries, mostly in Europe. These included citizens of the following countries:

  • Spain 
  • The United Kingdom
  • The Netherlands 
  • Portugal 
  • France
  • Belgium
  • Italy
  • Israel

Travel Reservations & PII

The data exposed in these reservations included:

  • Full names
  • Email addresses
  • Home addresses
  • PII of children 
  • Travel dates
  • Destination hotels
  • Reservation details (no. of guests, room types, etc.)
  • Price of stays
  • Data from external reservations platforms (ie. Booking.com)

External platforms whose data was exposed due to interaction with Gekko Group-owned platforms included:

  • Occius – Spanish travel platform
  • Infra – French creative agency
  • Smile – French digital experience and web development agency
  • Mondial Assistance – Polish travel platform
  • Selectour.com – French online travel agency
  • Booking.com – International hotel booking platform
  • Hotelbeds.com – International hotel booking platform

Aside from hotel reservations, the exposed data also included other forms of travel and hospitality-based reservations. These included tickets to Eurodisney, guest transfers between the hotels and airports, excursions and tours and tickets for the Eurostar train.

Financial Details Exposed

Along with the exposed PII data, many entries contained invoices exposing financial details of travel agents and their customers.The database contained invoices attached to certain reservations, made using credit cards belonging to agents and/or their clients. These included regular, virtual and prepaid credit cards.

For full details on the data breach, visit the vpnMentor's website