"It's a beginner's security breach during a vacation period," says Nicolas Helin, Option Way's co-founder and operations director. Teams from the young online travel booking platform worked this weekend to fill a potential data leak identified by VPN Mentor's cybersecurity researchers.
"We had migrated to a server used by our developers in late July and an access port (note: an entry) was not closed," says Mathieu Chauvin, CEO of the company. "It was then possible to access the booking indexing systems with 15 days of history, because these data are then erased," he says.
VPN Mentor's Israeli specialists Noam Rotem and Ran Locar have been able to access 100GB of site user data per 100,000 unique monthly visitors. There are names and contact details (e-mail, phone and address), but also dates of departure, return and destinations of about 1500 customers.
This open-source server hosts the "logs", the log of connections to the site, people based in France, but also in Belgium, Switzerland, Algeria and Austria.
No proven leak
"This open database is a gold mine for online identity thieves and other criminals," says VPN Mentor. In addition to the traditional phishing campaigns, thanks to the e-mails retrieved, criminals could also organize burglaries by using the departure dates and the addresses of the customers.
There is no evidence that malicious people have access to it. Option Way ensures that only one connection activity has been recorded on this server, which corresponds to downloading data via VPN Mentor.
"It's a good booster to improve our security", we recognize at the start-up based in the Alpes-Maritimes. As the procedure under the European legislation on the protection of personal data RGPD, the National Commission for Informatics and Liberties (Cnil) was warned of this temporary data leak.