For over a month, U.S.-based hospitality company and franchisee Pyramid Hotel Group (PHG) had been running its intrusion detection system on a unsecured, openly configured server, thereby exposing sensitive information pertaining to its security policies, systems, networks, and application logs, according to researchers.
At the time of its discovery by vpnMentor researchers Noam Rotem and Ran Locar, the publicly accessible server had an Elasticsearch database containing 85.4GB of security audit logs, which also included personally identifying information (PII) about employees working under the Pyramid umbrella.
The data was left unsecured from April 19 through May 29 of this year, vpnMentor reported in a blog post. The researchers noticed the misconfiguration on May 27 and alerted the hotel and resort chain the next day. It reportedly took one additional day for PHG to resolve the issue.
According to a demo video accompanying vpnMentor's blog post, the exposed database contained security event and alert data logged by PHG's open-source intrusion detection system, Wazuh.
"If we dig in, we can see specific details that can be very valuable for us if we were trying to break into the system or if we were doing reconnaissance for information gathering for penetration testing," said the video narrator.
Events observed by the researchers included potentially attempted malicious breaches and other anomalous activity, reported system errors, misconfigurations and policy violations. vpnMentor said other exposed data included server API keys and passwords, device names, IP addresses of incoming connections to the system and geolocation, firewall and open ports information, malware alerts, restricted applications, login attempts, brute force attack detection information, local computer names and addresses (plus alerts indicating which have antivirus installed), detected viruses and malwares, application errors, server names and OS details, information identifying cybersecurity policies, and employee names and usernames.
The researchers also found information pertaining to physical security assets, including hotel locking mechanisms and in-room safes.
"This database gives any would-be attacker the ability to monitor the hotels' network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain," the vnpMentor report states. "It also enables the attacker to see what the security team sees, learn from their attempts based on the alerts raised by the systems, and adjust their attacks accordingly. It's as if the nefarious individuals have their own camera looking in on the company's security office."
"From what we can see, it’s possible to understand the naming convention used by the organization, their various domains and domain control, the database(s) used, and other important information leading to potential penetration," the blog post continues. "This data leak is disclosing information that is private, secret, and would typically be for the eyes of an internal-team or MSSP only."
Based in Boston, PGH manages 69 hotels and resorts and is a franchisee of major hotel brands including Hilton, Hyatt, Marriott and Westin.
Hotel properties whose data was left exposed included the Tarrytown House Estate in New York state, the Carton House Luxury Hotel in Ireland, Aloft Hotels in Florida and Temple Bar Hotel in Ireland, among others.
Pankaj Parekh, chief product and strategy officer at SecurityFirst, told SC media that the much of the data involved in this incident "is outside of the mainstream attention of security practitioners, who have been most focused on protecting the privacy of customer data. Even though it's obvious that security parameters such as these should be very carefully protected, this data was not secured. This is like putting a security system in your house and then posting the pass code on your front door."
SC Media has reached out to Pyramid Hotel Group for comment.