The team of web application security specialists at vpnMentor has discovered a massive breach in a database operated by Autoclerk, a reservation management system owned by Best Western Hotels & Resorts Group. Because this database is connected to some platforms related to travel and hospitality services, this could be a real danger to thousands of users.
During the incident, the personal data of the
hotel group’s guests have been displayed, as well as a detailed description of
their reservations and itineraries. In the worst cases, check-ins included
booking times and even the guest’s room number.
According to web application security experts,
among the most notable customers of the reservation company are the US Army, in
addition to the Department
of Homeland Security (DHS). “We found highly sensitive data that
exposes US military personnel and security agencies, including details of past
and future travel,” the experts say.
The compromised information (a little over 179 GB) was hosted on Amazon Web Services; according to the reports, this database was integrated from external travel platforms that used the database owner’s platform to interact and contrast travel information. Affected customer platforms include property management systems (PMS), booking engines and data services within the tourism and hospitality industries.
As reported the compromised database contains
at least 100 thousand booking records, including personal details such as:
dates and costs
card details (protected)
Moreover, the security firm revealed that the
compromised information of government officials and members of the military was
operated by a third-party service, responsible for managing the travel of these
officials. Among the records presented were details on the travels of some US Army
generals to countries such as Russia, Israel, among others. Email addresses,
phone numbers, among other data, were also exposed.
This is a really serious issue, as web
application security experts mention that any organized hacker group could
access this information to deploy complex fraud campaigns against exposed users,
including members of the US military and intelligence officials.
As for the operating company of the exposed
database, this incident could also be harmful. By analyzing the information
exposed, a hacker with sufficient knowledge could learn important details about
these reservation management systems, which poses a security risk in the future
for the affected company and other similar services.
As a protective measure, the web application
security experts from the International Institute of Cyber Security (IICS)
mentioned that the affected company must implement better protection on its
servers, enforce stricter access rules, in addition to not exposing a system
that requires authentication to the public Internet.