Monde Travel Company, a worldwide travel company, has recently closed access to a database that was accidentally made available on the open internet. This database contained confidential information about customers, including detailed information about air tickets, hotel bookings, and unnoticed credit cards.
The vulnerability was discovered by Anuraga Senu, an independent researcher in the field of cybersecurity, who then shared this information with the publication TechCrunch. According to Senu, the database was posted in the Oracle cloud and did not require a password to access. This allowed anyone with the IP address to access the confidential data through a web browser. Additionally, the database could also be found through the easily guessed subdomain of one of Monde’s units.
The majority of the data in the 1.7 terabyte database belonged to Monde’s subsidiary, TripPro, which provides online booking and hotel services for thousands of travel agents and tourism startups.
The exposed database contained personal information such as names, gender, date of birth, home addresses, air travel data, and passport numbers. It also included detailed reservation information, including full passenger data. Shockingly, the database stored customer credit card numbers and their expiration dates without any form of encryption.
TechCrunch reached out to individuals affected by the data leakage, and they confirmed that the information in the database was real.
Searchizer Shodan, a search engine for internet-connected devices, first detected the availability of the database on the internet at the end of July 2023. The exact cause of the exposure is unknown, but it is often due to careless errors in settings.
Monde representatives have not commented on this cybersecurity incident or provided any explanations. However, after the company was notified, access to the database was promptly closed.
Unfortunately, it is still unclear whether anyone else, besides Anuraga Senu, was able to access the database during the period it was open or if any malicious actors took advantage of this opportunity.
Monde has not yet announced if it plans to inform affected customers about this data leak or take any measures to mitigate the consequences, such as credit history monitoring if any malicious activity on client data is discovered.