Flaws in a reservations management system owned by the Best Western hotel chain has led to the exposure of thousands of individuals' personal information, as well as data belonging to the US military.
Highly sensitive data belonging to personnel working for the US government, the Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.
The Autoclerk system is a combined reservations platform for hotels, accommodation services and travel agencies which is powered by a server and cloud-based property management systems (PMS), web booking engine, and other systems. This platform was only purchased by Best Western a matter of weeks ago.
General Data Protection Regulation (GDPR) 100GB of secret NSA data found on unsecured AWS S3 bucket 'BuckHacker' search tool lets users trawl through unsecure AWS buckets
The researchers managed to gain access to a host of hotel and travel platforms, as a result of the data leak. They viewed such details as login data from users based all over the world in an unencrypted format, which then allowed them to gain access into accounts on external systems such as different PMS platforms, and guest review systems.
"The vulnerabilities we've described above will be troubling for the ordinary companies and private citizens affected," the researchers said. "For the US government, alarm bells should be ringing."
"The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.
"This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons."
The database exposed was hosted by Amazon Web Servers (AWS) in the US, and contained more than 179GB worth of data. The majority of this, however, originated from external travel and hospitality platforms using the database owner's platform to communicate with one another.
Hundreds of thousands of booking reservations for guests and travellers were exposed as part of the leak, including details such as full name, home address, dates and costs of travels and masked payment card details. On certain entries, the check-in time and room number of guests became viewable on the database once people had checked in.
The massive database also contained the sensitive details of many associated with lines of work in the government and the military, including the personally identifying information (PII) and travel arrangements of senior officials. The researchers, for example, saw logs for US army generals travelling to Russia and Israel, among many other destinations.
The researchers discovered the breach as part of a huge web mapping project, using port scanning to examine particular IP blocks and test open holes in systems for weaknesses. The team was able to access the Elasticsearch database because it was "completely unsecured and unencrypted".
Some of the risks, beyond the immediate threat of phishing or financial crime, include the idea that criminals are able to effectively plan burglaries while individuals are known to be travelling abroad. Guests could also be targeted while on holiday if their room numbers have been exposed via the database.
The vpnMentor researchers added the data leak could have easily been avoided if the owner of the database, Autoclerk, had taken a number of security measures that included securing the servers, implementing access rules, and not leaving the system open to the internet.
The database was first discovered by researchers on 13 September, before vpnMentor then approached the United States Computer Emergency Readiness Team (US-CERT) and subsequently the US Embassy in Tel Aviv. The Pentagon was eventually reached on 26 September, with representatives assuring the researchers the issue would be dealt with. The exposed database was then closed on 2 October.
IT Pro approached Best Western for a statement.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.