US military data exposed in 179GB Autoclerk leak

Travel arrangements of hundreds of thousands disclosed via “unsecured and unencrypted” AWS database

Flaws in a reservations management system owned by the Best Western hotel chain has led to the exposure of thousands of individuals' personal information, as well as data belonging to the US military.

Highly sensitive data belonging to personnel working for the US government, the Department for Homeland Security (DHS) and the military was seen by researchers from vpnMentor, including travel arrangements both past and future.

The Autoclerk system is a combined reservations platform for hotels, accommodation services and travel agencies which is powered by a server and cloud-based property management systems (PMS), web booking engine, and other systems. This platform was only purchased by Best Western a matter of weeks ago.

The researchers managed to gain access to a host of hotel and travel platforms, as a result of the data leak. They viewed such details as login data from users based all over the world in an unencrypted format, which then allowed them to gain access into accounts on external systems such as different PMS platforms, and guest review systems.

Advertisement - Article continues below
Advertisement - Article continues below

"The vulnerabilities we've described above will be troubling for the ordinary companies and private citizens affected," the researchers said. "For the US government, alarm bells should be ringing."

"The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.

"This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious. Government employees - especially in the military - are valuable targets to hackers, criminals, and rival governments, for obvious reasons."

The database exposed was hosted by Amazon Web Servers (AWS) in the US, and contained more than 179GB worth of data. The majority of this, however, originated from external travel and hospitality platforms using the database owner's platform to communicate with one another.

Hundreds of thousands of booking reservations for guests and travellers were exposed as part of the leak, including details such as full name, home address, dates and costs of travels and masked payment card details. On certain entries, the check-in time and room number of guests became viewable on the database once people had checked in.

The massive database also contained the sensitive details of many associated with lines of work in the government and the military, including the personally identifying information (PII) and travel arrangements of senior officials. The researchers, for example, saw logs for US army generals travelling to Russia and Israel, among many other destinations.

Advertisement - Article continues below

The researchers discovered the breach as part of a huge web mapping project, using port scanning to examine particular IP blocks and test open holes in systems for weaknesses. The team was able to access the Elasticsearch database because it was "completely unsecured and unencrypted".

Some of the risks, beyond the immediate threat of phishing or financial crime, include the idea that criminals are able to effectively plan burglaries while individuals are known to be travelling abroad. Guests could also be targeted while on holiday if their room numbers have been exposed via the database.

The vpnMentor researchers added the data leak could have easily been avoided if the owner of the database, Autoclerk, had taken a number of security measures that included securing the servers, implementing access rules, and not leaving the system open to the internet.

The database was first discovered by researchers on 13 September, before vpnMentor then approached the United States Computer Emergency Readiness Team (US-CERT) and subsequently the US Embassy in Tel Aviv. The Pentagon was eventually reached on 26 September, with representatives assuring the researchers the issue would be dealt with. The exposed database was then closed on 2 October.

IT Pro approached Best Western for a statement.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020