Unsecured database exposes 85GB in security logs of major hotel chains

The source of the exposure appears to stem from a management company for Marriott, Plaza, and others.
Written by Charlie Osborne, Contributing Writer

An unsecured database that exposed the security logs -- and therefore potential cybersecurity weaknesses -- of major hotels including Marriott locations has been uncovered by researchers.

VpnMentor researchers Noam Rotem and Ran Locar published their findings on Thursday, noting that multiple hotels have been embroiled in the security incident.

The team, including co-founder of vpnMentor Ariel Hochstadt, uncovered the problematic server on May 27, 2019, while using port scanners to map areas of the Internet.

The server has been connected to Pyramid Hotel Group, a hotel and resort management company.

Pyramid says on its website that the company "provides superior operations, owner relations, and support services to its assets and investors."

The firm manages hospitality and resort properties in the US, Hawaii, the Caribbean, Ireland, and the UK. These properties include 19 Marriott locations, Sheraton hotels, Plaza resorts, and Hilton Hotel properties, alongside a number of independent hotels.

The unsecured server, which has an Elasticsearch database instance in Port 9200, allowed unrestricted access to security audit logs generated by Wazuh, an open-source intrusion detection system.

In total, 90 properties are listed publicly by Pyramid as clients, but the server found by vpnMentor appears to include data relating to 96 locations.

Marriott property Aloft Sarasota is one of many, and while the database does not contain clear names on each record, Tarrytown House Estate (New York), Carton House Luxury Hotel (Ireland), Aloft Hotels (Florida), and Temple Bar Hotel (Ireland) were all identifiable.

The unsecured database exposes a vast array of sensitive data belonging to the security systems of these properties. In total, 85.4GB of security audit logs were exposed. 

"From what we can see, it's possible to understand the naming convention used by the organization, their various domains and domain control, the database(s) used, and other important information leading to potential penetration," the researchers say. 

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

According to samples obtained by vpnMentor and viewed by ZDNet, the information exposed appears to stem back to April 19, 2019.

Information including server API keys and passwords, device names, IP addresses of incoming connections, firewall and open port data, malware alerts, restricted applications, login attempt records, application errors, and both brute-force attack detection and malware infection logs are all included.

In addition, vpnMentor says that data belonging to hotel employees, such as their full names and usernames, local PC names and addresses, server names and operating system details, cybersecurity policy details, and a variety of other cybersecurity-related information was all made available for public viewing.


"Most times, you get users' data that leaks," Hochstadt told ZDNet. "Here, one can argue that users' data wasn't leaking. But it is like saying "no-one forgot his wallet and no money was stolen" when the real fact is that, "the police left the evidence room open and the internal guidebook on all the undercover policeman names and addresses, and someone can now create huge damage with this data and steal a million wallets."

CNET: Apple has a secret facility for stress-testing iPhone parts

In other words, threat actors with access to the security logs would be able to understand the inner workings and security practices of the impacted properties, viewing locations in the same manner as internal security teams and potentially learning of vulnerable systems ripe for future attacks.

"This data leak is disclosing information that is private, secret, and would typically be for the eyes of an internal-team or MSSP only," vpnMentor says. "The irony is that what's being exposed is from a system that is meant to protect the company from such vulnerabilities."

Not only does such a leak expose clients to potential cybersecurity attacks, but to make matters worse, vpnMentor says that the physical security of hotels and their customers may have been placed at risk.

TechRepublic: GDPR fines levied so far: The lessons businesses can learn

While investigating the database, the team also found data relating to multiple devices including hotel locks, in-room safes, and physical security management equipment.

"Especially in the wrong hands, this drives home the very real danger here of when cybersecurity flaws threaten real-world security," the cybersecurity firm noted.

Both vpnMentor and ZDNet reached out to Pyramid to inform the company of the exposed server on May 28, 2019.

Access to the database was closed shortly after Pyramid was made aware of the incident, but the company has not acknowledged their link to the server, nor responded to multiple requests for comment via phone and email prior to publication. 

This is not the first time that vpnMentor has discovered databases and servers left wide-open to the public due to the firm's web mapping activities. The company has previously disclosed a massive data breach impacting Chinese e-commerce firm Gearbest and an unprotected database which impacted up to 65 percent of US households. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards