OSINT audit for a European hotel chain

Sector

Hospitality · boutique chain with 8-12 properties · Central and Eastern Europe · 250-400 employees.

Initial situation

Ahead of a funding round, the management team asked us to verify what sensitive information about the organisation was publicly accessible. The concern was triggered by a recent industry incident and by the preparation of a due diligence process in which data handling practices were going to be audited.

Approach

We ran a structured OSINT audit across four fronts: technical surface (exposed subdomains, public repositories, unauthenticated buckets), document surface (Scribd, SlideShare, academic repositories and tender portals), human surface (professional profiles leaking internal infrastructure details) and supplier surface. Findings were cross-checked against the internal inventory provided under NDA. Each finding was manually validated to rule out false positives before delivering the report.

Result

Internal documents containing personal data of guests and staff had been unintentionally published in external repositories, along with historical credentials leaked through third-party breaches. We designed a five-day containment plan and prepared the documentation required to notify the relevant regulator within GDPR deadlines.

Lesson

The most serious leaks rarely come from a sophisticated attack: they come from routine processes with no control over where shared documents end up.

Time and effort

12-18 calendar days · 35-50 consulting hours · 1 executive report + 1 technical report + 1 remediation plan.