Hundreds of Hotels Affected by Data Breach at Hotel Booking Software Provider

Catalin Cimpanu, reporting for BleepingComputer: The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned. The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries -- as it claims on its website.

In emails the company sent out to affected hotels today, FastBooking revealed the breach took place on June 14, when an attacker used a vulnerability in an application hosted on its server to install a malicious tool (malware). This tool allowed the intruder remote access to the server, which he used to exfiltrate data. The incident came to light when FastBooking employees discovered this malicious tool on its server.

How in the hell...

[forkfail]

... is this even possible:

In some cases, but not all, the intruder also obtained payment card details were also stolen, such as the name printed on the payment card, the card's number, and its expiration date.

Seriously. How is it possible that this data is not stored on hosts on separate, fortified networks, with decryption keys available only on other locked down machines that exist only to generate bank settlements and/or transmit billing information to the hotel as needed?

This cavalier attitude by so many organizations towards data security, the culture of expediency over security, and the fact that so often security is a zero sum game that no one really wants to be involved with has got to change. If it doesn't, there will be such a lack of trust and saturation of everybody's personal data that I could see the entire system becoming destabilized. Wouldn't that be fun. /rant