[BreachExchange] Customer data from Best Western and other hotels exposed in massive data breach

Wed Oct 23 10:08:28 EDT 2019

https://siliconangle.com/2019/10/21/customer-data-best-western-hotels-exposed-massive-data-breach/

A database that included customer booking details belonging to
Autoclerk, a hotel reservations system owned by Best Western
International Inc., has been found exposed online in yet another case
of misconfigured cloud storage.

Discovered by security researchers at vpnMentor, the 179-gigabyte
database included names, date of birth, home address, phone number,
dates and costs of travel, masked credit card details and check-in
time and room number.

Ssome of the details in the database included members of the U.S.
government, military and the Department of Homeland Security. “Our
team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv
and many more destinations,” the researchers noted. “We also found
their email address, phone numbers and other sensitive personal data.”

Today’s exposure was via an unsecured Elasticsearch database hosted on
Amazon Web Services Inc. The database was discovered Sept. 13. The
researchers initially contacted the Department of Homeland Security’s
United States Computer Emergency Readiness Team, with no response.

The researchers then reached out to the U.S. Embassy in Tel Aviv with
the details, again with no response. Forward to Sept. 26 and a
representative of the Pentagon contacted the researchers saying that
the issue would be dealt with. The database was finally secured Oct.
2.

Autoclerk is owned by Best Western, but it wasn’t only Best Western
customer data that was exposed alone. Autoclerk links into various
external client platforms, with data from HAPI Cloud, OpenTravel and
Synxis by Sabre Hospitality Solutions also compromised.

Neither Best Western nor Autoclerk has publicly responded to the breach.

“Leaving a database publicly available without any security barriers
in place is one of the most common yet preventable causes of data
breaches in the cloud,” Chris DeRamus, chief technology officer of
cybersecurity firm DivvyCloud Corp., told SiliconANGLE. “The
self-service nature of cloud means that users not familiar with
security settings and best practices can easily create databases or
alter configurations, resulting in devastating data leaks, such as
this incident with Autoclerk.”

Despite no evidence of misuse of the data, he added, giving
cybercriminals at least three weeks to find the open database and
harvest data they could then sell or leverage to launch future attacks
is “especially alarming,” given that the database contained
information on U.S. military and government officials.

Anurag Kahol, CTO of cloud access security broker Bitglass Inc.,
repeated a mantra of security officials: Companies need to get their
act together.

“The Autoclerk database was not protected with any security layers –
it indiscriminately granted public access to personally identifiable
information including names, home addresses and financial
information,” Kahol said. “This type of data can be bought and sold
for top dollar on the dark web, further exposing those affected to
future fraud and phishing attacks. Additionally, the fact that U.S.
government and military personnel had their travel and hotel data
exposed in this incident could enable criminals to learn pertinent
details about their regular traveling practices, leading to
implications for national security.”