Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group. Connected to various travel and hospitality-related platforms online, the exposed database posed a risk to many parties. A few weeks prior to our team discovering the leak, Autoclerk was bought by Best Western Hotel & Resorts Group, potentially exposing one of the biggest hotel chains in the world.
The leak exposes sensitive personal data of users and guests, along with a complete overview of their hotel and travel reservations. It affects 1,000s of people across the globe, with millions of new records added daily.
The most surprising victim of this leak is not an individual or company: it’s the US government, military, and Department of Homeland Security (DHS). The team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.
Timeline of Discovery and Owner Reaction
Sometimes, the overall extent of a data breach and the owner of the data are obvious, and the issue can be quickly resolved. But most often, we need days of investigation before we understand what’s at stake or who’s leaking the data. Understanding a breach and what’s at stake takes careful attention and time. Some affected parties deny the facts, disregarding our research or playing down its impact. We need to be thorough and make sure everything we find is correct and true.
In this case, due to the number of external origin points and sheer size of the data exposed, the owner of the database remains unclear. Our team continues to work with the parties involved to identify the source of the leak. Meanwhile, we have contacted the United States Computer Emergency Readiness Team (CERT). We outlined the nature of the leak, and the government, military, and DHS data that is exposed. However, at the time of writing, they have not replied to our email, ignoring our concerns.
- September 13th: Database discovered
- September 13th: US-CERT contacted, no response
- September 19th: US Embassy in Tel Aviv notified about the lack of CERT response
- September 26th: Contact made with a representative of the Pentagon, who ensures the issue will be dealt with
- October 2nd: Database closed
Examples of Entries in the Database
While the origins of the database our team discovered are unclear, it’s currently hosted by Amazon Web Servers in the USA, containing over 179GB of data. Much of the data exposed originates from external travel and hospitality platforms using the database owner’s platform to interact with one another.
The client platforms affected include property management systems (PMS), booking engines, and data services within the tourism and hospitality industries.
Travel & Hospitality Platforms Affected
Some examples of the external client platforms compromised by the leak include:
- HAPI Cloud
- myHMS and CleanMeNext by Autoclerk
- Synxis by Sabre Hospitality Solutions
While these platforms are mostly based in the US, the leak exposed users all over the world. Our team viewed many unencrypted login credentials to access accounts on additional systems external to the database, such as separate PMS platforms, guest ratings & review systems, and more.
Personal & Travel Data Exposed
As the platforms exposed in this leak focus on travel and hospitality, the database contains 1,000s of booking reservations for guests and travellers. This means the personal details of guests in accommodations using an affected platform are also exposed. The information of people making reservations exposed includes:
- Full name
- Date of birth
- Home address
- Phone number
- Dates & costs of travel
- Masked credit card details
On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database. All this information is incredibly valuable for criminal hackers and online thieves.
US Government Data
The vulnerabilities we’ve described above will be troubling for the ordinary companies and private citizens affected, while for the US government, alarm bells will be ringing. One of the platforms exposed in the database is a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of the US government and military personnel, as well as independent contractors working with American defence and security agencies.
The leak exposes the personally identifying information (PII) of personnel and their travel arrangements. The team viewed logs for US army generals travelling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.
This represents a major flaw in the data security apparatus around such sensitive information. Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices. By not doing so, the owner of this database has exposed a wealth of information that governmental and military clients would rather be kept private.
The exposed database should be a concern for all affected parties. From the guests in hotels using the impacted platforms to the senior staff of the US government, who’s personnel have now been compromised, everyone is vulnerable to attack and exploitation.
Data Breach Impact
Hackers can use the exposed data to create complex scams targeting the businesses affected, their guests, and the US government.
Combining the guests’ booking reservations and personal data, hackers can find additional information online, creating complete profiles of vulnerable targets. They can then targeted hotel guests to extract more information, such as financial account details or sensitive passwords. These can be used to steal from victims, embed malware and other forms of attack, extort money, or steal their identities. The exposed data is a goldmine for phishing campaigns. A phishing campaign uses bogus emails imitating real businesses to trick victims into providing passwords, credit card details, or embed malicious software on a device.
Criminals could pose as hotels or booking engines used by guests, crafting convincing emails to easily fool them. The effects could be devastating, both financially and personally.
With detailed information on their hotel stays, hackers know exactly when guests of hotels using the affected PMS and reservations platforms are on holiday, along with their home addresses. They can use this information to plan home burglaries with minimal risk of being caught or target them abroad.
Impact on the Database Owner and Clients
The same fraud and phishing tactics described above could also be used on businesses impacted by the leak, with far greater consequences. Phishing campaigns and malicious software attacks can be devastating on businesses of all sizes. They compromise the security not just of the business, but also it’s employees and customers. The vulnerability our team discovered exposes the owners of the database, the many platforms connected to it, and any hotels using those platforms.
An attacker can use this leak to see how the systems interact and gain important knowledge about external servers, including passwords for accounts on other platforms. Hackers and cybercriminals can use this information to plan targeted attacks against all parties exposed, on systems external to this database.
Impact on the US Government
The greatest risk posed by this leak is to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain. This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees – especially in the military – are valuable targets to hackers, criminals, and rival governments, for obvious reasons.
While a phishing campaign or other form of attack can be problematic for private citizens and businesses, the implications for a government or military are much graver, compromising national security and individual safety of personnel affected. It was through a simple phishing campaign that Russian hackers gained access to the US Democratic National Committee in 2018. This leak also endangers the safety of personnel by giving live information about their travel arrangements. More damaging still, if this data was downloaded, it can be sold on Dark Web and become almost untraceable.
Advice from the Experts
This data leak could have easily been avoided if the databases’ owner had taken some basic online security measures. These can be replicated by any company, no matter its size:
- Secure your servers
- Implement proper access rules
- Never leave a system that doesn’t require authentication open to the internet
For the Platforms Affected
Before adopting software or apps to manage an area of your business, make sure they are following data security best practices. If processing external data, such as a hotel guest or members of the public, you need to ensure this data is protected from hackers. Compromising your customers’ personal data can create major reputational damage and trust issues in the future.
For Guests of Hotels Impacted
If you’re concerned your data has been compromised in this leak, contact any hotels you’ve recently stayed to confirm if they’ve been affected. They should inform you of any steps they’re taking to resolve the issue.
The US Government and Military
All US government bodies affected by this leak should review their vetting procedures for 3rd party contractors. Any external company dealing with government and military data should be following strict data security protocols and ensuring there are no vulnerabilities in the software they’re using.
How and Why We Discovered the Breach
The vpnMentor research team discovered this breach in as part of a huge web mapping project. Our hackers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked. When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the database owner to the breach. If possible, we will also alert those affected by the breach.
The team was able to access this database because it was completely unsecured and unencrypted. However, at the time of writing, the identity of its owner has not been confirmed. Whoever owns the database in question uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time. The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company or their clients when we discover flaws in their online security. This is especially true when the companies data breach contains such sensitive information concerning a nation’s government, military, and defence agencies. These ethics also mean we carry a responsibility to the public, who deserve to be aware of a breach of this magnitude and the implications it has on their interests.