An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers.
On Monday, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group.
Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.
In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor’s web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within.
The team says that “thousands” of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number.
Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed.
Data breaches are a common occurrence and can end up compromising information belonging to thousands or millions of us in single cases of a successful cyberattack.
What is more uncommon, however, is that the US government and military figures have also been involved in this security incident.
It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements.
vpnMentor was able to view records relating to the travel arrangements of government and military personnel — both past and future — who are connected to the US government, military, and Department of Homeland Security (DHS).
Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.