Data Privacy Fails: Leaks, Demands, and Erosion of Protections

Millions of sensitive records are now exposed or under threat from misconfigured systems, government overreach, and legislative rollbacks. A hotel check-in company left a million passports and driver’s licenses public in cloud storage. Booking.com warned customers that names, addresses, and phone numbers may have been accessed. Meanwhile, the Department of Justice is demanding identities of 100,000 users of a car app, while Congress moves to weaken federal privacy laws.

Misconfigured Cloud Storage Exposed Hotel Customer Data

A tech firm managing hotel check-in systems failed to secure its cloud storage, leaving over a million customer records—including passports and driver’s licenses—accessible to anyone with an internet connection. According to TechCrunch, the misconfigured settings allowed unrestricted public access to the data without password protection. The breach highlights a recurring problem in hospitality tech: third-party vendors often prioritize convenience over security, exposing sensitive traveler information at scale.

The affected system, used by hotels globally, stored documents that could enable identity theft or fraud. Travelers are now forced to weigh the cost of booking rooms against the risk of their personal identification being left in the digital equivalent of a locked hotel safe that forgot to lock.

Booking.com Faces Data Breach and Rising Scam Calls

Booking.com, which operates 28 million accommodation listings, warned customers that unauthorized parties may have accessed names, emails, addresses, and phone numbers. The company declined to confirm whether credit card details were compromised but advised users to avoid sharing financial information via email, phone, or messaging apps.

Customers like Steve Atkin, who received a scam call posing as Booking.com staff, are now reporting stolen money. Atkin says a fraudster deducted $100 from his account after a refund request. Booking.com responded that the caller was not affiliated with the company. This incident reflects a broader trend: threat actors exploit trust in brands to siphon funds, often with no recourse for victims.

DOJ Demands User Data from Apple, Amazon, and Google

The Department of Justice is demanding Apple, Amazon, and Google identify over 100,000 users of a car-tinkering app called EZ Lynk, according to Forbes. The request includes addresses and purchase histories. While the Justice Department did not specify the legal basis for this demand, the scope of the query raises concerns about the balance between law enforcement access and user privacy.

The app, which likely enables users to modify vehicle software, sits in a gray area between consumer tool and potential security risk. The DOJ’s move could set a precedent for how governments pressure tech companies to hand over data from niche applications with unclear public safety implications.

Congress Pushes to Weaken Protections for Sensitive Records

A bill set to be introduced in the House, the “Data Security and Breach Notification Act of 2015,” would eliminate privacy safeguards for phone, cable, and satellite records. Current rules require carriers to train staff on handling sensitive data and notify customers of breaches. The proposed law would remove these mandates, effectively allowing companies to leak call logs, location data, and viewing histories without accountability.

Computer scientist Ed Felten argues that call records can reveal health struggles, political affiliations, or private relationships. Location data, even without GPS, can map daily routines. The bill’s name—claiming to improve security—contradicts its actual effect: making it easier for companies to mishandle data and harder for individuals to know when their privacy is violated.

What to Watch

Congressional hearings on the 2015 bill will determine whether protections for call records survive. Booking.com’s security team must demonstrate how it’s preventing future breaches. And the DOJ’s EZ Lynk request will test how aggressively agencies can push for user data without clear legal boundaries. For now, the pattern is clear: when companies and governments treat data as an afterthought, users pay the price.