The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned.

The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries —as it claims on its website.

Hacker used web app flaw to breach FastBooking's system

In emails the company sent out to affected hotels today, FastBooking revealed the breach took place on June 14, when an attacker used a vulnerability in an application hosted on its server to install a malicious tool (malware).

This tool allowed the intruder remote access to the server, which he used to exfiltrate data. The incident came to light when FastBooking employees discovered this malicious tool on its server.

Incident timeline:

June 14, 2018, 8:43 PM UTC - intruder breaches FastBooking's system.

June 19, 2018, 3:40 PM UTC - FastBooking discovers intrusion.

June 19, 2018, 9:02 PM UTC - FastBooking closes breach.

Guest personal data and card details stolen

According to FastBooking, the intruder stole information such as a hotel guests' first and last names, nationality, postal addresses, email addresses, and hotel booking-related information (hotel name, check-in, and check-out details).

In some cases, but not all, the intruder also obtained payment card details were also stolen, such as the name printed on the payment card, the card's number, and its expiration date.

Not all of FastBooking's customers were impacted the same. The attacker stole just guest details from some hotels, payment card details from others, or both in other cases.

The French company has sent emails to each affected hotel with details about the number of affected guests for each entity, and what type of data the attacker stole.

Bleeping Computer has learned that FastBooking is also providing templates that each hotel can use to notify former guests of the breach, and templates to notify national data protection agencies about the leak of private guest data and their respective payment card details.

In a press release aimed at the Japanese market, FastBooking said the incident affected 380 Japanese hotels alone. It is reasonable to believe the number of impacted hotels across the world is larger than the Japanese tally, possibly going above 1,000.

Bleeping Computer has contacted FastBooking with questions about the total number of impacted hotels, the number of guests who had their private details stolen, and the number of guests who had payment card details taken from FastBooking's server.

The company said it would provide a statement about the incident, but we did not receive one before this article's deadline. Our reporting will be updated when FastBooking answers our questions.

Prepare for a wave of data breach notifications

The FastBooking incident is eerily similar to the PageUp breach that took place at the start of the month. Just like in the FastBooking incident, hackers breached PageUp's servers and used a malicious tool (malware) to steal information from PageUp's customers.

PageUp is a provider of human resources management software for the world's largest companies, and the attacker stole the personal data of job applications at companies all over the world.

That incident triggered a wave of data breach notifications from all the affected companies, and a similar wave is about to start this time as well.

The first hotel chain to inform customers of the FastBooking breach is Prince Hotels & Resorts in Japan. The hotel chain said the incident affected 124,963 guests who stayed at 82 of its hotels.