A hotel software provider has exposed the personal data of millions of guests around the world after misconfiguring an AWS bucket, according to a new report from Website Planet.

The tech site’s security team discovered an exposed cloud database belonging to Spanish developer Prestige Software, whose platform enables hotels to automate their availability on booking websites like Expedia.

The misconfigured S3 bucket contained over 10 million individual log files, dating back to 2013. Website Planet researcher, Mark Holden, warned that the total number of affected individuals could be even greater than this, as some logs contained personally identifiable information (PII) for multiple members of a single booking.

Among the leaked data were full names, email addresses, national ID numbers and the phone numbers of hotel guests. For hundreds of thousands of individuals card booking details including card number, cardholder’s name, CVV and expiration date were also exposed.

Prestige’s Cloud Hospitality platform appears to be used by many of the top online travel agent (OTA) sites out there including Agoda, Expedia, Booking.com and Hotels.com.

Website Planet reached out to AWS directly to disclose the incident, which was fixed the day after. Prestige Software also confirmed to it that it is the owner of the data.

The leaked information could have offered malicious third parties a trove of data to commit identity fraud, launch follow-on phishing attacks and even hijack and change booking details.

As a result, the Spanish developer may face questions from GDPR and PCI DSS investigators over the incident.

“Millions of people were potentially exposed in the data breach, from all over the world. We can’t guarantee that somebody hasn’t already accessed the S3 bucket and stolen the data before we found it,” argued Holden.

“So far, there is no evidence of this happening. However, if it did, there would be enormous implications for the privacy, security and financial wellbeing of those exposed.”