A leak at Autoclerk, a reservations management system recently acquired by the Western Hotel & Resorts Group, exposed personal and travel information on hotel guests, including members of the U.S. government, military and Department of Homeland Security.
“Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future,” according to a blog post by vpnMentor, whose researchers, led by Noam Rotem and Ran Locar, discovered the leaky Elasticsearch database hosted by AWS on Sept. 13 as part of a larger web mapping project. “Our team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.”
That particular platform exposed in the database belonged to a contractor that manages travel arrangements for U.S. government and military personnel and independent contractors who work with American defense and security agencies.
“This represents a major flaw in the data security apparatus around such sensitive information,” the blog maintained. “Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices.”
Even after contacting the United States Computer Emergency Readiness Team (CERT) on Sept. 13 then the U.S. Embassy in Tel Aviv on Sept. 19 and the Pentagon on Sept. 26, the database remained open until October 2.
“The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number,” the researchers wrote. “It affected 1,000s of people across the globe, with millions of new records being added daily.”
In addition to names, birthdates, home addresses, phone numbers, travel dates and costs and masked credit card details, in some cases, “once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database,” the researchers said.
“Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present,” said Brian Bernstein, systems engineer at Lacework, who noted that exposed databases “typically arise from oversights in deployments and network access policies and are generally discovered by researchers" armed with publicly available scanners.
“Although there has yet to be any evidence of misuse, 179GB of highly sensitive and personally identifiable information was exposed for at least three weeks, giving cybercriminals plenty of time to find the open database and harvest data to then sell on the dark web or leverage to launch future attacks against the individuals impacted,” said Chris DeRamus, CTO at DivvyCloud. “It is especially alarming that the database contained information on U.S. military and government officials.”
Autoclerk also could take a reputational hit and lose business. “Breaches of business-to-business companies like Autoclerk can be devastating because a growing number of companies are refusing to do business with vendors that do not adequately protect sensitive data,” said Kelly White, CEO, RiskRecon, noting that in July American Medical Collections Agency filed for bankruptcy “shortly after disclosing a breach of its systems – significant customers cancelled their contracts because they no longer trusted that AMCA would protect their cyber risk interests. While Autoclerk may not suffer the same fate, the costs of the breach to them and to their customers will be immense."