The travel reservation data, along with personal details, of hundreds of thousands was discovered in a database exposed online for all to see.
A leaky database owned by reservations management system Autoclerk has exposed the personal data and travel information for thousands of users – including U.S. government and military personnel.
Autoclerk, which was acquired by the Best Western Hotel and Resorts Group in August, provides reservation management software for hotels, accommodation providers, travel agencies and more. Researchers with vpnMentor on Monday said that they discovered an Elasticsearch database, owned by Autoclerk, exposed online that contained over 100,000 booking reservations for travelers.
“The database was hosted by Amazon Web Servers in the USA, containing over 179GB of data,” Noam Rotem and Ran Locar, researchers with vpnMentor, said in a Monday post. “Much of the data exposed originated from external travel and hospitality platforms using the database owner’s platform to interact with one another. The client platforms affected include property management systems (PMS), booking engines, and data services within the tourism and hospitality industries.”
Exposed information included unencrypted login credentials, full names, date of birth, home addresses, phone numbers, dates and costs of travel, and masked credit-card details. For certain reservations, after guests checked in to a hotel, their check-in time and room number also was viewable on the database.
Because Autoclerk software is used by third-party travel agencies, several external accommodation providers’ customers were impacted by the leak. Platforms whose clients were compromised as part of the leak include HAPI Cloud, OpenTravel and Synxis by Sabre Hospitality Solutions.
Disturbingly, one of the platforms exposed in the database was a contractor of the U.S. government, military and Department of Homeland Security (DHS), said researchers. The unnamed contractor manages the travel arrangements of U.S. government and military personnel, as well as independent contractors working with American defense and security agencies.
“For the U.S. government, alarm bells should be ringing,” said researchers. “The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv and many more destinations. We also found their email address, phone numbers and other sensitive personal data.”
Beyond the privacy implications of hackers getting their hands on PII of customers, researchers said that the reservation details of customers in the database could provide attackers with valuable clues to piece together fraud or phishing attacks.
For instance, if a bad actor knows the booking details (including dates and locations) for a customer, it would be easy to send them an email pretending to be the hotel or booking engine, asking them to hand over further personal information or credit-card data.
The database could also have physically dangerous implications for victims, researchers said, especially for potentially high-profile government or military personnel: “With detailed information on their hotel stays, hackers would know exactly when guests of hotels using the affected PMS and reservations platforms are on holiday, along with their home addresses.”
The database was discovered and reported to U.S. CERT on Sept. 13. Researchers said that U.S. CERT did not respond to the incident disclosure; so they then made contact with a representative of the Pentagon, who ensured the issue would be dealt with. The database was closed on Oct. 2.
While they labeled the incident a “breach,” vpnMentor researchers did not specify whether the database has been accessed by any third parties; they did not respond to a request from Threatpost inquiring about this detail.
The incident is just the latest in a string of data leaks that exposed sensitive information to the open internet, including Capital One, where a cybercriminal accessed the data of more than 100 million people in the U.S. and 6 million in Canada; as well as auto dealership company Dealer Leads and consulting firm Aliznet.
Jonathan Knudsen, senior security strategist at Synopsys, said in an email that data exposed to the internet with no authentication continues to be a serious problem.
“This incident highlights the need for basic security awareness and education across all industries,” said Knudsen. “Even a basic level of understanding would have made Autoclerk’s deployment team realize the extreme risk of placing so much sensitive information on an unprotected server.”
Autoclerk parent Best Western Hotel and Resorts Group did not respond to a request for comment from Threatpost; U.S. CERT also did not respond to a request for comment.