Gustaffo was alerted about the data leak last week, but the company did not respond. Meanwhile, the misconfigured database is being updated with new and fresh customer data each day.
Austria, Vienna-based digital hospitality company Gustaffo has been caught in a data leak which saw over 100,000 customer records exposed. The cause of the data leak is its misconfigured database which is publically available without any password or security authentication.
What’s worse, the server is still live, and at the time of writing, new details of customers were being uploaded, including the following information:
- Full name
- Mobile numbers
- Email Addresses
- Booking Details
- Booking Links and information
So What is Gustaffo?
According to this press release, Gustaffo was launched in 2016 and had 30 hotels in eight countries using the service. Its first customer was Austria’s largest hotel management company, Vienna House.
A look at Gustaffo’s LinkedIn page explains how the company functions and what services it offers. The company states it provides a “secure” and contactless Digital Guest Journey to Hotels and Hotel Groups.
“From the Check-In online to services during the stay including elevator and room access via the mobile app, and furthermore with Payment and Check-Out never having to go to the reception Via a white-labelled mobile app integrated with all major Property Management Systems your guests can directly access their assigned room via the mobile app instead of the usual key card,” says the About Us section of the company’s LinkedIn page.
Gustaffo was alerted to the security incident last week; however, there has been no response whatsoever, risking the personal details of unsuspecting customers at risk. This was revealed to Hackread.com by independent security researcher Anurag Sen working along with Hieu Minh, a Vietnamese researcher from Chongluadao.
It is worth noting that the researchers discovered the misconfigured cloud database on Shodan while searching for misconfigured cloud databases. For your information, Shodan is an OSINT tool and a specialized search engine used by cybersecurity researchers to locate vulnerable Internet of Things (IoT) devices, including servers and misconfigured databases on the internet.
GDPR Fine
Since Gustaffo has not responded to researchers nor have they secured the data, chances are that the company is completely unaware of the issue. Not only is it bad news for customers, but for Gustaffo itself, as the General Data Protection Regulation (GDPR) is directly effective in every country that is part of the European Union, including Austria.
In September 2021, the Austrian Data Protection Authority Österreichische Datenschutzbehörde issued a €9 million ($9.6 million) fine to the Austrian Post for violations of GDPR. This fine was among the largest fines ever imposed under the GDPR and served as an example of how seriously the law takes data privacy.
However, the fine was overturned by the Federal Administrative Court on December 2nd, 2020. Nevertheless, this fine was among the largest fines ever imposed under the GDPR and served as an example of how seriously the law takes data privacy.
While it’s unclear whether any malicious actors accessed the data or not, researchers are warning customers of Gustaffo to be on their guard against potential phishing attempts or identity theft scams.
Misconfigured Databases – Threat to Privacy
As we know, misconfigured or unsecured databases have become a major privacy threat to companies and unsuspecting users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than 10 billion (10,463,315,645) records to public access without any security authentication.
In 2021, the number of exposed databases increased to 399,200. The top 10 countries with the most database leaks due to misconfiguration in 2021 included the following:
- USA – 93,685 databases
- China – 54,764 databases
- Germany – 11,177 databases
- France – 9,723 databases
- India – 6,545 databases
- Singapore – 5,882 databases
- Hong Kong – 5,563 databases
- Russia – 5,493 databases
- Japan – 4,427 databases
- Italy – 4,242 databases
RELATED NEWS
- 579 GB of users website activity leaked in server messup
- Misconfigured AWS bucket leaked 350m email addresses
- Misconfigured baby monitors exposing video stream online
- Microsoft Power apps misconfiguration leaked 38m records
- Misconfigured backup leaked 50.5m GOMO Mobile user data