Unsecure Database Exposed US Military Personnel Data: ReportExposed Database Owned by AutoClerk Hotel Reservation Management System
An unsecure database belonging to a company that provides hotel reservation management technology exposed about 179 GB of customer data, including travel arrangements and other data for U.S. military and other government personnel, according to a new report from two independent security researchers.
The researchers say the database belongs to Autoclerk, which offers cloud-based management systems for web bookings at hotels as well as loyalty programs, payment processing and other services. The firm was acquired by Best Western Hotels and Resorts Group in August.
The unsecure database, which is hosted on Amazon Web Services, was first discovered on Sept. 13 by Noam Rotem and Ran Locar, self-described security researchers and hacktivists, according to their blog post on the site vpnMentor. The two researchers are working on a large-scale web mapping project, using port scanning techniques to look at various known IP blocks and addresses. During this project, they have found weaknesses and data leaks in numerous files and systems that are stored in the cloud and exposed to the internet (see: Mystery Database Exposed Info on 80 Million US Households).
After the researchers contacted Best Western as well as various U.S. government agencies, the database was secured on Oct. 2, the researchers write.
At first, the two researchers found the unsecured Elasticsearch database contained sensitive personal data of "thousands" of hotel guests, along with a complete overview of their hotel and travel reservations, according to the blog post.
A further examination found that the database also contained travel details, both past and future, for U.S. military personnel as well as other government workers, the two researchers report.
The research report does not make clear if anyone downloaded or copied this data when it was exposed, or if any information from the database has been posted for sale on dark net sites. The researchers and Best Western did not immediately respond to a request for comment.
Military and Government Data
Rotem and Locar write in their blog that they did not download the database when they found it, so the full extent of what it contained is not known.
The two researchers note that Autoclerk's platforms facilitate communication between other hotel and booking platforms, so it's possible that much of the data could have originated on other reservation platforms beyond the Best Western chain.
A close examination of the data found personal information about individuals who used the systems to book hotel rooms, including name, date of birth, home address, phone number, dates and cost of travel and masked credit card details, the blog notes.
The unsecured data included sensitive information of U.S. military personnel, Department of Homeland Security staff and other government officials who used the hotel reservation service, according to the report. This included details about U.S. Army generals traveling to Moscow, Tel Aviv and other locations around the world, the researchers write.
"This represents a major flaw in the data security apparatus around such sensitive information. Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices," the two researchers write. "By not doing so, the owner of this database exposed a wealth of information that governmental and military clients would rather be kept private."
Rotem and Locar have tracked a number of exposed databases as part of their research project.
Most recently, the two researchers found a unsecured database owned by an Ecuadorian consulting company left over 20 million records on the South American country's citizens exposed to the internet. The report sparked a police investigation and led Ecuador's president to advocate a new privacy law (see: Investigation Launched After Ecuadorian Records Exposed).