Hackers exploited a web app vulnerability on a FastBooking server to install malware and pilfer data – such as names, email addresses, booking information and payment card data – on guests at hundreds of hotels.
Prince Hotel officials said data on more than 124,000 of its customers was stolen as a result of the hacks on the FastBooking Korean, Chinese and English website, which occurred June 15 and June 17, and affected guests who stayed at one of the hotel's 43 locations between May and August of 2017, according to a report in the Japan Times.
A company spokesman cited in the report said that personal data was purloined in 58,003 leaks while credit card information was stolen in the remaining 66,960 cases.
“I sincerely apologize for all the troubles we caused to our customers and related officials. We will work hard on the investigation to find the cause and to prevent any recurrence,” Prince Hotel President Masahiko Koyama was quoted as saying during a Tuesday press conference.
The Prince Hotel spokesperson said Fastbooking bolstered its security in wake of the breach and that the foreign-language site was shuttered temporarily with reservations accepted only by email.
“Modern organizations deploy a plethora of web applications, accessible from any location. These are an easy target for hackers, who can exploit them and gain access to back-end corporate databases,” said Setu Kulkarni, vice president of corporate strategy at WhiteHat Security, whose annual Application Security Statistics Report shows a “consistently high rate of web applications that are ‘always vulnerable,'” every day.
“Many recent breaches, like FastBooking and the massive Equifax incident that remains top of mind more than half a year later, were caused by fixable web app vulnerabilities,” said Kulkarni.
As web-delivered systems increasingly are “being integrated via application programming interfaces (APIs) to create more complete, seamless and harmonious systems that simplify and aggregate otherwise complex and seemingly disparate interactions,” Kulkarni said organizations “should empower developers to code using security best practices in mind throughout the entire software development life cycle (SDLC), with proper training and even security certifications.”