A hacking attack against Fastbooking, which may have exposed hotel guests' personal information and payment card details, is "under control" but it is unclear if any UK hotels have been impacted.
The Paris-based hotel booking software company, which is owned by French hospitality group AccorHotels and works with 4,000 partner hotels in 100 countries, said the "main market affected" was Japan, however it is not known if the site's UK hotel partners are among those to have fallen victim.
"A complaint has been filed with the French Information Technology Fraud Investigation Brigade (BEFTI). The main market affected is Japan and all impacted customers have been informed and dedicated support has been implemented to help them assist their guests."
Adam Brown, manager of security solutions at technology company Synopsys, said: "The FastBooking breach appears to be in conflict with GDPR Article 32 which discusses the security of data processing.
"Article 32 states that a procedure needs to be in place for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. If this was a truly niche exploit, you could also argue that FastBooking acted appropriately given the 'state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing to ensure a level of security appropriate to the risk'-as stated in Article 32.
"Then again, this breach could have involved a well-known vulnerability which could have been detected thought a vulnerability assessment. If it's identified that known vulnerable components were involved that could have been discovered and prevented through a penetration test, for instance, FastBooking can expect to have the law read back to them. It also appears that the data wasn't encrypted, or if it was, the keys weren't kept separately.
"This situation could have potentially been avoided by having a deliberate and effective software security initiative driven by the firm's leadership. However, not enough details are available as of yet to speculate on what went wrong and how it could have been handled differently."
AccorHotels acquired the group in April 2014. Fastbooking's customers include luxury and mid-range brands and hotel chains including Baglioni Hotels, Cresta Hotels and Prince Hotels & Resorts.