US military data exposed in 179GB Autoclerk leak

Travel arrangements of hundreds of thousands disclosed via “unsecured and unencrypted” AWS database

Flaws in a reservations management system owned by the Best Western hotel chain has led to the exposure of thousands of individuals' personal information, as well as data belonging to the US military.

Highly sensitive data belonging to personnel working for the US government, the Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

The Autoclerk system is a combined reservations platform for hotels, accommodation services and travel agencies which is powered by a server and cloud-based property management systems (PMS), web booking engine, and other systems. This platform was only purchased by Best Western a matter of weeks ago.

The researchers managed to gain access to a host of hotel and travel platforms, as a result of the data leak. They viewed such details as login data from users based all over the world in an unencrypted format, which then allowed them to gain access into accounts on external systems such as different PMS platforms, and guest review systems.

"The vulnerabilities we've described above will be troubling for the ordinary companies and private citizens affected," the researchers said. "For the US government, alarm bells should be ringing."

"The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.

"This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons."

The database exposed was hosted by Amazon Web Servers (AWS) in the US, and contained more than 179GB worth of data. The majority of this, however, originated from external travel and hospitality platforms using the database owner's platform to communicate with one another.

Hundreds of thousands of booking reservations for guests and travellers were exposed as part of the leak, including details such as full name, home address, dates and costs of travels and masked payment card details. On certain entries, the check-in time and room number of guests became viewable on the database once people had checked in.

The massive database also contained the sensitive details of many associated with lines of work in the government and the military, including the personally identifying information (PII) and travel arrangements of senior officials. The researchers, for example, saw logs for US army generals travelling to Russia and Israel, among many other destinations.

The researchers discovered the breach as part of a huge web mapping project, using port scanning to examine particular IP blocks and test open holes in systems for weaknesses. The team was able to access the Elasticsearch database because it was "completely unsecured and unencrypted".

Some of the risks, beyond the immediate threat of phishing or financial crime, include the idea that criminals are able to effectively plan burglaries while individuals are known to be travelling abroad. Guests could also be targeted while on holiday if their room numbers have been exposed via the database.

The vpnMentor researchers added the data leak could have easily been avoided if the owner of the database, Autoclerk, had taken a number of security measures that included securing the servers, implementing access rules, and not leaving the system open to the internet.

The database was first discovered by researchers on 13 September, before vpnMentor then approached the United States Computer Emergency Readiness Team (US-CERT) and subsequently the US Embassy in Tel Aviv. The Pentagon was eventually reached on 26 September, with representatives assuring the researchers the issue would be dealt with. The exposed database was then closed on 2 October.

IT Pro approached Best Western for a statement.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021