vpnMentor’s discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group.

Security experts at vpnMentor’s discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group.

The data leak exposed sensitive personal information of thousands of users worldwide and hotel guests, along with a hotel and travel reservations.

“Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group.” reads the analysis published by vpnMentor.

“The data Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.”

The list of affected users includes the US government, military, and Department of Homeland Security (DHS).

“For the US government, alarm bells should be ringing. One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies.” continues vpnMento r. “The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations.”

The database was hosted by Amazon Web Servers located the USA and it contained over 179GB of data. The database contained 100,000s of booking reservations for guests and travelers, exposed user data includes full name, date of birth, home address, phone number, dates & costs of travel, masked credit card details.

For some reservations, the archive included data related to the guest check-in such as the check-in time and room number.

Most of the data in the database was originated from external travel and hospitality platforms such as property management systems (PMS), booking engines, and data services.

“ Autoclerk is a combined reservations system for hotels, accommodation providers, travel agencies and more. Its features include server- and cloud-based Property Management Systems (PMS), a web booking engine, Central Reservations Systems, and hotel PMS interfaces.” continues the report.

“For this reason, the database our team found was connected to myriad hotel and travel platforms. Some examples of the external client platforms compromised by the leak include:

The database was discovered on September 13, 2019, and it was secured on October 2, 2019, below the complete timeline:

September 13th: Database discovered

Database discovered September 13th: US CERT contacted, no response

US CERT contacted, no response September 19th: US Embassy in Tel Aviv notified about the lack of CERT response

US Embassy in Tel Aviv notified about the lack of CERT response September 26th: Contact made with representative of the Pentagon, who ensures the issue will be dealt with

Contact made with representative of the Pentagon, who ensures the issue will be dealt with October 2nd: Database closed

“The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.” concludes the experts. “This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious.”

Pierluigi Paganini

(SecurityAffairs – US government, Autoclerk data le ak )

Share this...

Linkedin Reddit Pinterest

Share On