Customer data from Best Western and other hotels exposed in massive data breach

A database that included customer booking details belonging to Autoclerk, a hotel reservations system owned by Best Western International Inc., has been found exposed online in yet another case of misconfigured cloud storage.

Discovered by security researchers at vpnMentor, the 179-gigabyte database included names, date of birth, home address, phone number, dates and costs of travel, masked credit card details and check-in time and room number.

Ssome of the details in the database included members of the U.S. government, military and the Department of Homeland Security. “Our team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv and many more destinations,” the researchers noted. “We also found their email address, phone numbers and other sensitive personal data.”

Today’s exposure was via an unsecured Elasticsearch database hosted on Amazon Web Services Inc. The database was discovered Sept. 13. The researchers initially contacted the Department of Homeland Security’s United States Computer Emergency Readiness Team, with no response.

The researchers then reached out to the U.S. Embassy in Tel Aviv with the details, again with no response. Forward to Sept. 26 and a representative of the Pentagon contacted the researchers saying that the issue would be dealt with. The database was finally secured Oct. 2.

Autoclerk is owned by Best Western, but it wasn’t only Best Western customer data that was exposed alone. Autoclerk links into various external client platforms, with data from HAPI Cloud, OpenTravel and Synxis by Sabre Hospitality Solutions also compromised.

Neither Best Western nor Autoclerk has publicly responded to the breach.

“Leaving a database publicly available without any security barriers in place is one of the most common yet preventable causes of data breaches in the cloud,” Chris DeRamus, chief technology officer of cybersecurity firm DivvyCloud Corp., told SiliconANGLE. “The self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, resulting in devastating data leaks, such as this incident with Autoclerk.”

Despite no evidence of misuse of the data, he added, giving cybercriminals at least three weeks to find the open database and harvest data they could then sell or leverage to launch future attacks is “especially alarming,” given that the database contained information on U.S. military and government officials.

Anurag Kahol, CTO of cloud access security broker Bitglass Inc., repeated a mantra of security officials: Companies need to get their act together.

“The Autoclerk database was not protected with any security layers – it indiscriminately granted public access to personally identifiable information including names, home addresses and financial information,” Kahol said. “This type of data can be bought and sold for top dollar on the dark web, further exposing those affected to future fraud and phishing attacks. Additionally, the fact that U.S. government and military personnel had their travel and hotel data exposed in this incident could enable criminals to learn pertinent details about their regular traveling practices, leading to implications for national security.”

Photo: doughay/Flickr

Comments are closed.