[BreachExchange] Choice Hotels: 700,000 Guest Records Exposed

Destry Winant destry at riskbasedsecurity.com
Thu Aug 15 10:02:11 EDT 2019


Choice Hotels says about 700,000 guest records were exposed after one
of its vendors copied data from its systems. Fraudsters discovered the
unsecured database and tried to hold the hotel chain to ransom, which
it ignored.

Choice Hotels is one of the largest lodging franchisers, with 7,000
locations in 40 countries, including brands such as EconoLodge,
Comfort Inn and Quality Inn. Security researcher Bob Diachenko
discovered the leak, according to the U.K.-based website Comparitech.

The hotel company tells ISMG the ransom attempt was "not successful."

The data was copied by the vendor, which was not identified, to its
systems "without authorization," it says. Ironically, Choice Hotels
says the data "was being hosted on their server to test a security
offering." None of Choice Hotels' servers were impacted.

Most of the data that was copied by the vendor was test data, the
company says, but about 700,000 records contained real guest
information, including names, addresses, phone numbers and email

"The records did not contain payment, password or reservation
information," a spokeswoman says. "We will be notifying affected
guests to advise them of what occurred."

MongoDB: No Authentication

Diachenko found a 3.8GB MongoDB database containing 5.7 million
records, which was traced to Choice Hotels. The database was left
online and didn't require authentication. MongoDB is a popular NoSQL
open-source database.

The database was apparently discovered by others, because Diachenko
found a ransom note. According to a screenshot posted by Comparitech,
the note says the database had been downloaded and asked for .4 of a
bitcoin - around $4,300 - to recover the data.

"The records did not contain payment, password or reservation
information. We will be notifying affected guests to advise them of
what occurred."
—Choice Hotels

Organizations that leave critical databases exposed often don't have
much time to fix the error, as cybercriminals scan the internet for
applications that may vulnerable.

Indeed, Comparitech reports that the Choice Hotels situation was
uncovered using the BinaryEdge search engine, which scans IP ranges to
lightly probe for what applications or services may be exposed.
Another similar search engine is Shodan.

Diachenko notified Choice Hotels on July 2, although his initial email
was filtered out. The database ended up being secured that day,
although Diachenko didn't send a second notification until July 28,
Comparitech reports.

Getting MongoDB Secure

The importance of maintaining proper security configurations for
MongoDB increased two years ago, when researchers suddenly noticed
tens of thousands of MongoDB systems being compromised in one day.

On a single day in January 2017, nearly 28,000 MongoDB instances were
compromised. The attacks often involved deleting the data and leaving
a ransom note in place, usually asking for some amount of bitcoins
(see: MongoDB Ransomware Compromises Double in a Day).

The attackers were capitalizing on MongoDB instances that either
required no authentication, didn't have up-to-date patches or were
otherwise misconfigured.

In response to the attacks, MongoDB advised that the compromises were
largely preventable if administrators took advantage of the security
protections and followed best practices.

MongoDB has security features that allow admins to test if a database
is exposed to the internet, as well as a backup feature to ensure data
is not lost forever. There's also a good security checklist worthy of
a scan.

During the 2017 attacks, Victor Gevers, who is chair of the GDI
Foundation, created a spreadsheet called MongoDB ransacking that
chronicles some observed attacks.

The spreadsheet shows the ransom price, the email of the attacker,
when the email was sighted, attacker IPs, estimated number of victims
and the number of transactions associated with the bitcoin address.

Most attacks occurred in 2017 and then tailed off. But there are three
entries for this year, two of which were found by Gevers.

More information about the BreachExchange mailing list