European hotel booking platform provider Gekko Group mistakenly stored over 1 terabyte of information on a publicly configured server, exposing troves of data related to its hotel B2B clients, as well as travel agents and their customers.

The majority of the exposed data was collected by Gekko brands Teldar Travel, which provides a booking system for travel agents, and Infinite Hotel, a distribution specialist that provides an inventory of hotels to B2B clients. But other data was originally collected by Gekko's third-party partners and external reservations platforms, including,, Occius, Infra, Smile, Mondial Assistance and

Exposed data included hotel and transportation booking details, personally identifiable information, invoices with credit card details, and plain-text login credentials used by Gekko's clients. Booking info and PII typically consisted of names, email addresses, home addresses, dates of travel, destination hotels and reservation details such as number of guests, room types and price of stays. Outside of room bookings, the database also stored details on theme park and tour excursion tickets, airport transfers, and Eurostar train tickets. The credit card information found on the invoices pertained to a mix of both travel agents and their clients.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.