CloudDefense.AI Discovered Major Data Breach of Falkensteiner, Thousands of Customers' Data Exposed

Barbara Ericson
3 Mar
3 min read

CloudDefense.AI has recently got featured on SecurityWeek for discovering a significant data breach affecting thousands of customers of the European hotel chain, Falkensteiner. The hotel chain is based in Austria and operates across Central and Eastern Europe, including properties in Italy, Croatia, Slovakia, Serbia, and the Czech Republic.

Anurag Sen, found an unprotected server storing personal information of Falkensteiner customers. Sen's analysis showed that the exposed data was associated with Gustaffo, an IT solutions provider for the hospitality industry. Sen notified both Gustaffo and Falkensteiner about the breach, but unfortunately, none of them responded. However, after his notification, the server was secured.

According to Sen's analysis, the vulnerable Elasticsearch server contained over 11 Gb of data before it was taken offline. Sen found over 102,000 records, including full names, phone numbers, email addresses, and booking details, in the exposed database.

Despite Sen's notification, Gustaffo claims that they secured the server after learning about the leak from a different researcher. Gustaffo stated that the incident was limited to one system and that the details of only approximately 13,000 individuals were exposed. Gustaffo representatives explained that many of the records were likely duplicates since they do not store the information of more than 13,000 customers in the database. The company has performed the necessary security updates to its system and is in touch with government authorities handling the incident.

Sen is unhappy with the way the issue has been handled by both Falkensteiner and Gustaffo. He states that neither company responded to his emails, and customers have not been notified about the breach. It is unclear whether Falkensteiner or Gustaffo will inform customers about the incident or if they will face any regulatory action as a result of the breach.

This incident highlights the importance of companies taking data privacy seriously and having robust security measures in place to protect sensitive customer information. It is also crucial for companies to have responsible disclosure programs in place so that researchers can report vulnerabilities without fear of retaliation. Customers have a right to know if their personal information has been compromised so that they can take steps to protect themselves from potential fraud or identity theft.

Barbara Ericson
A longtime open source contributor, with extensive experience in DevOps principles and practices. Barbara is especially interested in helping IT businesses and organizations implement DevOps, cloud-native technologies, and open source.