TIME:
11:00am AEST
ESTIMATED DURATION:
1 hour 49 minutes
PARTIES IMPACTED: 
All Bookeasy clients, Guests trying to book online using Bookeasy's gadgets
INCIDENT SEVERITY:
Critical
STATUS:
Resolved


DESCRIPTION

Bookeasy had performed significant load testing and scaling up of the system in the weeks leading up to a planned availability release by a partner on Tuesday 4 July 2023.


Upon the release of availability at 11:00 am AEST, due to unprecedented demand on the Bookeasy database, with over 86,700 web page views in the 11:00 am hour, the database was unable to handle the number of visitors making requests on the database. At 11:15 am AEST we completed further scaling up of the database, which resolved the slowness experienced through the entirety of the Bookeasy system. This resolved the issue of Bookeasy clients not being able to access their Bookeasy Staff Console.


Due to the high demand on the system, Bookeasy’s webAPI logging was overloaded and caused the webAPI servers to timeout at 11:15 am AEST and require restarting. At its peak, we saw 44,000 requests on the webAPI per minute. The timeout resulted in no guests being able to make bookings, or move through the booking flow in the Bookeasy gadgets. This impacted all users of Bookeasy’s gadgets, both online and internal. To rectify, we removed ‘logging’ from the webAPI and the webAPI servers were scaled to double the capacity. The webAPI outage was resolved at 12:49 pm AEST. 


At 1:00 pm AEST, reports were received of some customers seeing other people’s cart information when making an online booking. This may have included products or basic personal information pre-filled from a guest logging into their guest account, which was then cached and exposed to other users. This occurred as a result of a limitation in a third party caching system as it was unable to communicate effectively with the webAPI due to the outage between 11:00am - 12:49 pm AEST.


Our comprehensive investigation has confirmed there are less than 50 bookings successfully processed by guests’ who would have been exposed to another guest’s personal details before finalising their booking. There is no evidence of bookings being made using someone else’s data. This was not a data breach caused by any form of cyberattack, rather a system leak where information was unknowingly exposed to concurrent users. No highly sensitive information, such as credit card or driver’s licence numbers, were exposed at any stage. To rectify this issue, we have added additional protocols into the Bookeasy gadgets to generate a GUID (global unique identifier), which will prevent the third party caching system from providing cached replies to webAPI calls when the system is experiencing extreme load. 


Ensuring the security of data and personal information is of utmost importance to us. We wholeheartedly accept responsibility for any problems that arise. We sincerely value the patience and understanding shown by our clients as we persistently strive to address and reaffirm our dedication to offering a secure and effortless booking experience for everyone involved.


As outlined above, remedial measures were taken immediately, and the system was returned to standard operation at 12:49 pm AEST.  There was a maximum system outage of 1 hour and 49 minutes.


Should you require any further information, please do not hesitate to contact the Bookeasy team.