US military data exposed in 179GB Autoclerk leak

Travel arrangements of hundreds of thousands disclosed via “unsecured and unencrypted” AWS database

Flaws in a reservations management system owned by the Best Western hotel chain has led to the exposure of thousands of individuals' personal information, as well as data belonging to the US military.

Highly sensitive data belonging to personnel working for the US government, the Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

The Autoclerk system is a combined reservations platform for hotels, accommodation services and travel agencies which is powered by a server and cloud-based property management systems (PMS), web booking engine, and other systems. This platform was only purchased by Best Western a matter of weeks ago.

The researchers managed to gain access to a host of hotel and travel platforms, as a result of the data leak. They viewed such details as login data from users based all over the world in an unencrypted format, which then allowed them to gain access into accounts on external systems such as different PMS platforms, and guest review systems.

"The vulnerabilities we've described above will be troubling for the ordinary companies and private citizens affected," the researchers said. "For the US government, alarm bells should be ringing."

"The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.

"This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons."

The database exposed was hosted by Amazon Web Servers (AWS) in the US, and contained more than 179GB worth of data. The majority of this, however, originated from external travel and hospitality platforms using the database owner's platform to communicate with one another.

Hundreds of thousands of booking reservations for guests and travellers were exposed as part of the leak, including details such as full name, home address, dates and costs of travels and masked payment card details. On certain entries, the check-in time and room number of guests became viewable on the database once people had checked in.

The massive database also contained the sensitive details of many associated with lines of work in the government and the military, including the personally identifying information (PII) and travel arrangements of senior officials. The researchers, for example, saw logs for US army generals travelling to Russia and Israel, among many other destinations.

The researchers discovered the breach as part of a huge web mapping project, using port scanning to examine particular IP blocks and test open holes in systems for weaknesses. The team was able to access the Elasticsearch database because it was "completely unsecured and unencrypted".

Some of the risks, beyond the immediate threat of phishing or financial crime, include the idea that criminals are able to effectively plan burglaries while individuals are known to be travelling abroad. Guests could also be targeted while on holiday if their room numbers have been exposed via the database.

The vpnMentor researchers added the data leak could have easily been avoided if the owner of the database, Autoclerk, had taken a number of security measures that included securing the servers, implementing access rules, and not leaving the system open to the internet.

The database was first discovered by researchers on 13 September, before vpnMentor then approached the United States Computer Emergency Readiness Team (US-CERT) and subsequently the US Embassy in Tel Aviv. The Pentagon was eventually reached on 26 September, with representatives assuring the researchers the issue would be dealt with. The exposed database was then closed on 2 October.

IT Pro approached Best Western for a statement.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021