Report: Travel Reservations Platform Leaks US Government Personnel Data
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group. Connected to various travel and hospitality-related platforms online, the exposed database posed a risk to many parties.
A few weeks prior to our team discovering the leak, Autoclerk was bought by Best Western Hotel & Resorts Group, potentially exposing one of the biggest hotel chains in the world.
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.
The most surprising victim of this leak wasn't an individual or company: it was the US government, military, and Department of Homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.
This represented a massive breach of security for the government agencies and departments impacted.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and what’s at stake takes careful attention and time. Some affected parties deny the facts, disregarding our research or playing down its impact. We need to be thorough and make sure everything we find is correct and true.
We work hard on publishing accurate and trustworthy reports, to ensure everybody who reads them understands their seriousness.
In this case, due to the number of external origin points and sheer size of the data exposed, the owner of the database was unclear for a little while, but we suspected it belonged to Autoclerk for a number of reasons.
Meanwhile, we have contacted the United States Computer Emergency Readiness Team (CERT). We outlined the nature of the leak, and the government, military, and DHS data that was exposed. However, at the time of publishing, they have not replied to our email, ignoring our concerns.
- September 13th: Database discovered
- September 13th: US CERT contacted, no response
- September 19th: US Embassy in Tel Aviv notified about the lack of CERT response
- September 26th: Contact made with representative of the Pentagon, who ensures the issue will be dealt with
- October 2nd: Database closed
Examples of Entries in the Database
The database was hosted by Amazon Web Servers in the USA, containing over 179GB of data. Much of the data exposed originated from external travel and hospitality platforms using the database owner’s platform to interact with one another.
The client platforms affected include property management systems (PMS), booking engines, and data services within the tourism and hospitality industries.
Travel & Hospitality Platforms Affected
Autoclerk is a combined reservations system for hotels, accommodation providers, travel agencies and more. Its features include server- and cloud-based Property Management Systems (PMS), a web booking engine, Central Reservations Systems, and hotel PMS interfaces. For this reason, the database our team found was connected to myriad hotel and travel platforms.
Some examples of the external client platforms compromised by the leak include:
- HAPI Cloud
- OpenTravel
- myHMS and CleanMeNext by Autoclerk
- Synxis by Sabre Hospitality Solutions
While these platforms are mostly based in the US, the leak exposed users all over the world. Our team viewed many unencrypted login credentials to access accounts on additional systems external to the database, such as separate PMS platforms, guest ratings & review systems, and more.
Personal & Travel Data Exposed
As the platforms exposed in this leak focused on travel and hospitality, the database contained 100,000s of booking reservations for guests and travelers. This meant the personal details of guests in accommodations using an affected platform were also exposed.
The information of people making reservations exposed includes:
- Full name
- Date of birth
- Home address
- Phone number
- Dates & costs of travel
- Masked credit card details
On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database.
All this information is incredibly valuable for criminal hackers and online thieves.
US Government Data
The vulnerabilities we’ve described above will be troubling for the ordinary companies and private citizens affected.
For the US government, alarm bells should be ringing.
One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies.
The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.
This represents a major flaw in the data security apparatus around such sensitive information. Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices.
By not doing so, the owner of this database exposed a wealth of information that governmental and military clients would rather be kept private.
The exposed database should be a concern for all affected parties. From the guests in hotels using the impacted platforms to the senior staff of the US government, whose personnel were compromised, everyone is vulnerable to attack and exploitation.
Data Breach Impact
Hackers can use the exposed data to create complex scams targeting the businesses affected, their guests, and the US government.
Impact on Hotel Guests
Fraud & Phishing Campaigns
Combining the guests’ booking reservations and personal data, hackers can find additional information online, creating complete profiles of vulnerable targets.
They can then target hotel guests to extract more information, such as financial account details or sensitive passwords. These can be used to steal from victims, embed malware and other forms of attack, extort money, or steal their identities.
The exposed data was a goldmine for phishing campaigns. A phishing campaign uses bogus emails imitating real businesses to trick victims into providing passwords, credit card details, or embed malicious software on a device.
Criminals could pose as hotels or booking engines used by guests, crafting convincing emails to easily fool them. The effects could be devastating, both financially and personally.
Physical Dangers
With detailed information on their hotel stays, hackers would know exactly when guests of hotels using the affected PMS and reservations platforms are on holiday, along with their home addresses.
They could use this information to plan home burglaries with minimal risk of being caught or target them abroad.
Furthermore, with hotel room numbers exposed, guests could be also targeted while on holiday.
Impact on the Database Owner and Clients
The same fraud and phishing tactics described above could also be used on businesses impacted by the leak, with far greater consequences. This includes Autoclerk.
Phishing campaigns and malicious software attacks can be devastating on businesses of all sizes. They compromise the security not just of the business, but also it’s employees and customers.
The vulnerability our team discovered exposed the owners of the database, the many platforms connected to it, and any hotels using those platforms.
An attacker could use this leak to see how the systems interact and gain important knowledge about external servers, including passwords for accounts on other platforms. Hackers and cybercriminals can use this information to plan targeted attacks against all parties exposed, even on systems external to this database.
The scope for potential criminal activity is huge.
Impact on the US Government
The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.
This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious.
Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons.
While a phishing campaign or other form of attack can be problematic for private citizens and businesses, the implications for a government or military are much graver, compromising national security and individual safety of personnel affected.
It was through a simple phishing campaign that Russian hackers gained access to the US Democratic National Committee in 2018.
This leak also endangered the safety of personnel by giving live information about their travel arrangements, right down to their hotel room number.
More damaging still, if this data was downloaded, it can be sold on Dark Web and become almost untraceable.
Advice from the Experts
This data leak could have easily been avoided if the databases’ owner had taken some basic security measures. These can be replicated by any company, no matter its size:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
For the Platforms Affected
Before adopting software or apps to manage an area of your business, make sure they are following data security best practices. If processing external data, such as a hotel guest or members of the public, you need to ensure this data is protected from hackers.
Compromising your customers’ personal data can create major reputational damage and trust issues in the future.
For an in-depth guide on how to protect your business online, check out how to secure your website and online database from hackers.
For Guests of Hotels Impacted
If you’re concerned your data has been compromised in this leak, contact any hotels you’ve recently stayed to confirm if they’ve been affected. They should inform you of any steps they’re taking to resolve the issue.
You can also read our guide to internet privacy read our complete guide to online privacy. It shows you the many ways you can be targeted by cybercriminals, and the steps you can take to stay safe.
The US Government and Military
All US government bodies affected by this leak should review their vetting procedures for 3rd party contractors. Any external company dealing with government and military data should be following strict data security protocols and ensuring there are no vulnerabilities in the software they’re using.
How and Why We Discovered the Breach
As a part of a substantial web mapping project, the breach was detected by the vpnMentor research team. Our cybersecurity experts utilize port scanning techniques to analyze specific IP blocks and check for vulnerabilities by testing open areas within systems. They thoroughly inspect each discovered gap for potential data leakage.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the database owner to the breach. If possible, we will also alert those affected by the breach.
Our team was able to access this database because it was completely unsecured and unencrypted. However, at the time of writing, the identity of its owner has not been confirmed.
Whoever owns the database in question uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company or their clients when we discover flaws in their online security. This is especially true when the companies data breach contains such sensitive information concerning a nation’s government, military, and defense agencies.
These ethics also mean we carry a responsibility to the public, who deserve to be aware of a breach of this magnitude and the implications it has on their interests.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 80 million US households. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
[Publication date: 21.10.2019]