[BreachExchange] Open database leaked 179GB in customer, US government, and military records

[Destry Winant]

https://www.zdnet.com/article/autoclerk-database-leaked-customer-government-and-military-personal-records/

An open database exposing records containing the sensitive data of
hotel customers as well as US military personnel and officials has
been disclosed by researchers.

On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran
Locar, said the database belonged to Autoclerk, a service owned by
Best Western Hotels and Resorts group.

Autoclerk is a reservations management system used by resorts to
manage web bookings, revenue, loyalty programs, guest profiles, and
payment processing.

In a report shared with ZDNet, the researchers said the open
Elasticsearch database was discovered through vpnMentor's web mapping
project. It was possible to access the database, given it had no
encryption or security barriers whatsoever, and perform searches to
examine the records contained within.

The team says that "thousands" of individuals were impacted, although
due to ethical reasons it was not possible to examine every record in
the leaking database to come up with a specific number.

Hundreds of thousands of booking reservations for guests were
available to view and data including full names, dates of birth, home
addresses, phone numbers, dates and travel costs, some check-in times
and room numbers, and masked credit card details were also exposed.

Data breaches are a common occurrence and can end up compromising
information belonging to thousands or millions of us in single cases
of a successful cyberattack.

What is more uncommon, however, is that the US government and military
figures have also been involved in this security incident.
It appears that one of the platforms connected to Autoclerk exposed in
the breach is a contractor of the US government that deals with travel
arrangements.

vpnMentor was able to view records relating to the travel arrangements
of government and military personnel -- both past and future -- who
are connected to the US government, military, and Department of
Homeland Security (DHS).

Within the records, for example, were logs for US Army generals
visiting Russia and Israel, among other countries.

Autoclerk facilitates communication between different hospitality
platforms, and it appears that a substantial portion of the data
originated from external platforms. In total, the database -- hosted
by AWS -- contained over 179GB of data.

At the time of writing it has not been possible to track the overall
owner of the database due to the "number of external origin points and
sheer size of the data exposed," the team says.

The United States Computer Emergency Readiness Team (CERT) was
informed of the leak on September 13 but did not respond to the
researcher's findings.

vpnMentor then reached out to the US Embassy in Tel Aviv, and seven
days later, the team contacted a representative of the Pentagon who
promised swift action. Access to the database was revoked on October
2.

"The greatest risk posed by this leak is to the US government and
military," the team says. "Significant amounts of sensitive employee
and military personnel data could now be in the public domain. This
gives invaluable insight into the operations and activities of the US
government and military personnel. The national security implications
for the US government and military are wide-ranging and serious."

ZDNet has reached out to US-CERT and affected parties and will update
when we hear back.