Cyber Incident Victim: FastBooking
Date:
Jun 2018
Location:
France
Summary
A cybersecurity breach at a hotel booking software provider compromised guest data from numerous hotels globally. Attackers exploited an application vulnerability to deploy malware, enabling unauthorized server access and data exfiltration. Stolen information included guests' names, nationalities, contact details, and booking specifics, with payment card data (cardholder names, numbers, expiration dates) also taken in some instances. Impact severity varied across affected hotels, ranging from partial guest record theft to combined personal and financial data exposure. One hotel chain alone reported over 124,000 impacted guests across 82 properties, illustrating the incident's scale. The provider discovered the intrusion during internal malware detection on its systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 14, 2018, an attacker compromised FastBooking, a Paris-based hotel booking software provider serving over 4,000 hotels across 100 countries. The intrusion occurred through exploitation of a vulnerability in an application hosted on FastBooking’s server, enabling the installation of malicious software designed to grant remote access. This malware facilitated unauthorized exfiltration of sensitive guest data stored on the compromised system. FastBooking’s internal team discovered the malicious tool during routine operations, prompting an investigation that confirmed the breach. The stolen information included guests’ first and last names, nationalities, postal addresses, email addresses, and hotel booking specifics such as property names and check-in/check-out dates. Payment card details—including cardholder names, numbers, and expiration dates—were also extracted in some instances. Data theft severity varied across FastBooking’s client hotels, with attackers obtaining only personal details from some properties, only payment data from others, or both categories from a subset.
FastBooking notified affected hotel clients via email on June 26, 2018, disclosing the intrusion timeline and scope but not specifying the total number of impacted guests or hotels globally. The breach’s public disclosure emerged concurrently with Prince Hotels & Resorts in Japan becoming the first confirmed affected chain, revealing that 124,963 guests across 82 of its properties had their data stolen. No details regarding technical containment measures, vulnerability remediation, law enforcement involvement, or post-breach forensic analysis were disclosed in the available report. The incident exposed significant risks to hospitality sector vendors managing centralized reservation systems, particularly due to the storage of both identity and financial data. Financial fraud targeting guests and reputational damage to affiliated hotels were immediate consequences, though specific monetary losses or operational disruptions remained unquantified in the source material.