US military data exposed in 179GB Autoclerk leak

Travel arrangements of hundreds of thousands disclosed via “unsecured and unencrypted” AWS database

Flaws in a reservations management system owned by the Best Western hotel chain has led to the exposure of thousands of individuals' personal information, as well as data belonging to the US military.

Highly sensitive data belonging to personnel working for the US government, the Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

The Autoclerk system is a combined reservations platform for hotels, accommodation services and travel agencies which is powered by a server and cloud-based property management systems (PMS), web booking engine, and other systems. This platform was only purchased by Best Western a matter of weeks ago.

The researchers managed to gain access to a host of hotel and travel platforms, as a result of the data leak. They viewed such details as login data from users based all over the world in an unencrypted format, which then allowed them to gain access into accounts on external systems such as different PMS platforms, and guest review systems.

"The vulnerabilities we've described above will be troubling for the ordinary companies and private citizens affected," the researchers said. "For the US government, alarm bells should be ringing."

"The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.

"This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons."

The database exposed was hosted by Amazon Web Servers (AWS) in the US, and contained more than 179GB worth of data. The majority of this, however, originated from external travel and hospitality platforms using the database owner's platform to communicate with one another.

Hundreds of thousands of booking reservations for guests and travellers were exposed as part of the leak, including details such as full name, home address, dates and costs of travels and masked payment card details. On certain entries, the check-in time and room number of guests became viewable on the database once people had checked in.

The massive database also contained the sensitive details of many associated with lines of work in the government and the military, including the personally identifying information (PII) and travel arrangements of senior officials. The researchers, for example, saw logs for US army generals travelling to Russia and Israel, among many other destinations.

The researchers discovered the breach as part of a huge web mapping project, using port scanning to examine particular IP blocks and test open holes in systems for weaknesses. The team was able to access the Elasticsearch database because it was "completely unsecured and unencrypted".

Some of the risks, beyond the immediate threat of phishing or financial crime, include the idea that criminals are able to effectively plan burglaries while individuals are known to be travelling abroad. Guests could also be targeted while on holiday if their room numbers have been exposed via the database.

The vpnMentor researchers added the data leak could have easily been avoided if the owner of the database, Autoclerk, had taken a number of security measures that included securing the servers, implementing access rules, and not leaving the system open to the internet.

The database was first discovered by researchers on 13 September, before vpnMentor then approached the United States Computer Emergency Readiness Team (US-CERT) and subsequently the US Embassy in Tel Aviv. The Pentagon was eventually reached on 26 September, with representatives assuring the researchers the issue would be dealt with. The exposed database was then closed on 2 October.

IT Pro approached Best Western for a statement.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021