The Target: Otelier, previously known as MyDigitalOffice, is a cloud-based hotel management solution used by over 10,000 hotels worldwide to manage reservations, transactions, nightly reports, and invoicing.
The Take: The small samples seen by BleepingComputer include a broad range of data, including hotel guest reservations, transactions, employee emails, and other internal data. Some of the personal information exposed includes hotel guests' names, addresses, phone numbers, and email addresses.
The Vector: The threat actors behind the Otelier breach told BleepingComputer that they initially hacked the company's Atlassian server using an employee's login. These credentials were stolen through information-stealing malware, which has become the bane of corporate networks over the past few years.
This breach highlights the extreme importance of timely software updates for known software vulnerabilities, not only in systems directly under a firm’s control, but in third-party systems the firm relies upon as well. The longer a firm, or its vendors, hold out on deploying the most up-to-date software for their systems, the greater the chance an attacker will exploit the issue.