An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers.
On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group.
Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.
In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within.
The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number.
Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed.
Data breaches are a common occurrence and can end up compromising information belonging to thousands or millions of us in single cases of a successful cyberattack.
What is more uncommon, however, is that the US government and military figures have also been involved in this security incident.
It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements.
vpnMentor was able to view records relating to the travel arrangements of government and military personnel -- both past and future -- who are connected to the US government, military, and Department of Homeland Security (DHS).
Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.
Autoclerk facilitates communication between different hospitality platforms, and it appears that a substantial portion of the data originated from external platforms. In total, the database -- hosted by AWS -- contained over 179GB of data.
At the time of writing it has not been possible to track the overall owner of the database due to the "number of external origin points and sheer size of the data exposed," the team says.
The United States Computer Emergency Readiness Team (CERT) was informed of the leak on September 13 but did not respond to the researcher's findings.
vpnMentor then reached out to the US Embassy in Tel Aviv, and seven days later, the team contacted a representative of the Pentagon who promised swift action. Access to the database was revoked on October 2.
TechRepublic: Financial industry spends millions to deal with breaches
"The greatest risk posed by this leak is to the US government and military," the team says. "Significant amounts of sensitive employee and military personnel data could now be in the public domain. This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious."
ZDNet has reached out to US-CERT and affected parties and will update when we hear back.
Previous and related coverage
- DK-Lok data breach exposes global enterprise client data, internal emails
- Tū Ora Compass Health data breach exposes medical data of one million people
- 700,000 Choice Hotels records leaked in data breach, ransom demanded
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0