Otelier was recently the victim of a large breach, impacting approximately 437,000 individuals.
HaveIBeenPWned (HIBP), a site that tracks data breaches and their impact on consumers, posted some information regarding the breach. According to their notification, a threat actor accessed Otelier systems in 2024. Exfilitrated customer data came from prominent hotels, including Marriot, Hilton, and Hyatt.
According to HIBP, data accessed included emails, names, physical addresses, phone numbers, booking information related to travel, purchases recorded by the platforms, and in some cases, partial credit card data.
Otelier provides software management tools to over 10,000 hotels around the world. According to Infosecurity Magazine, WhiteIntel, a dark web monitoring firm, determined that the breach likely stemmed from infostealer malware. This type of malicious software is designed to steal sensitive information after breaching computer systems.
“We have uncovered several info-stealer-driven credential leaks that appear to grant unauthorized access to Otelier’s GitHub and Atlassian instances…Risk of infostealer related breaches [is] getting higher every day,” said WhiteIntel in a X (formerly Twitter) post.
It’s believed that a threat actor may have tried to sell Otelier data as far back as October 2024.
Otelier provided a statement to Infosecurity Magazine on January 21st, stating, “Our top priority is to safeguard our customers while enhancing the security of our systems to prevent future issues. Otelier has been in communication with its customers whose information was potentially involved.”
In response to the incident, Otelier hired a team of cybersecurity experts to analyze the incident. “The investigation determined that the unauthorized access was terminated,” the spokesperson said. “In order to help prevent a similar incident from occurring in the future, Otelier disabled the involved accounts and continues to work to enhance its cybersecurity protocols.”
Any organization that deals with sensitive financial or personal information could be targeted by threat actors eager to exploit data on the black market. While this data may not be significant enough by itself to lead to identity theft or fraud, it’s possible for actors to aggregate data for a more complete file on individuals.
Supply chain breaches are becoming increasingly prominent, with many vendors, third parties, and software organizations finding themselves the victims of an attack. For customers or patients, this revelation can be confusing, as it’s often unclear where their data has been housed or how it was accessed. In response, it’s become commonplace for individuals to file class action suits in an attempt to ensure change and receive restitution.