Otelier, a cloud-based hotel management platform used by more than 10,000 hotels worldwide, has reportedly confirmed a data breach that impacted its Amazon S3 storage, exposing sensitive information from prominent hotel brands such as Marriott, Hilton, and Hyatt. According to information obtained by BleepingComputer, the breach began in July 2024, with continued unauthorised access until October 2024. Threat actors claimed to have accessed and downloaded 7.8 terabytes of data during this period.
The compromised data reportedly includes millions of guest reservations, internal documents, and personal information stored in Amazon AWS S3 buckets managed by Otelier. The affected data also contains nightly hotel reports, shift audits, and financial details. In a statement to BleepingComputer, Otelier confirmed the breach and outlined steps taken in response. “Our top priority is to safeguard our customers while enhancing the security of our systems to prevent future issues,” the company said.
Otelier stated it had hired cybersecurity experts to conduct a forensic analysis of the incident. The company also confirmed it had disabled affected accounts, terminated unauthorised access, and implemented enhanced security protocols to prevent future breaches. Impacted customers have been notified, according to Otelier.
The hackers reportedly gained access to Otelier’s systems by compromising an employee’s login credentials, stolen using information-stealing malware. The credentials allowed access to the company’s Atlassian server, which the attackers exploited to gather additional information, including credentials for the S3 buckets. The attackers claimed they used this access to extract the data, including records linked to major hotel brands. They initially attempted to extort Marriott, mistakenly believing the data belonged directly to the hotel chain. The attackers left ransom notes demanding cryptocurrency payments to avoid data leaks. Otelier rotated credentials in September, cutting off the attackers’ access.
Impact on hotel brands
Marriott confirmed that the breach indirectly affected its systems via Otelier’s platform. The company suspended its automated services with Otelier pending the outcome of the investigation. “Once we were made aware of this incident involving Otelier, we immediately contacted the vendor, which works with numerous hotel companies, and confirmed that they were working with cyber security experts to investigate a security incident that impacted their systems,” a Marriott spokesperson stated. Marriott also stated that its own systems were not breached and that it had taken precautions, including the suspension of Otelier’s automated services.
The Otelier breach is the latest cybersecurity incident to affect the hospitality industry, which has faced repeated challenges in safeguarding guest data. Marriott, which was indirectly affected by the Otelier breach, has previously dealt with multiple large-scale data incidents. In October 2024, the hotel giant agreed to a $52m settlement to resolve investigations into three separate breaches that occurred between 2014 and 2020, impacting more than 344 million customers.
The US Federal Trade Commission (FTC) and attorneys general from 49 states and the District of Columbia mandated the implementation of a comprehensive information security program, periodic independent assessments, and compliance certification for 20 years.
Read more: Krispy Kreme confirms online ordering disruption following cyberattack
