Led by Noam Rotem and Ran Locar, vpnMentors search team discovered a jade in a database belonging to Autoclerk, a reservations management system owned by best Western Hotels and Resorts Group. Connected to various travel and hospitality-related platforms online, the exposed database posed a risk to many parties.
A few weeks prior to our team discovering the leak, Autoclerk was bought by best Western Hotel & Resorts Group, potentially exposing 1 of the biggest hotel chains in the world.
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.
The most surprising victim of this leak wasnt an individual or company: it was the US government, military, and Department of homeland surety (DHS). Our team viewed highly sensitive data exposing the personal details of governing and military personnel, and their move arrangements to locations around the world, both past and future.
This represented a massive hack of security for the government agencies and departments impacted.
Timeline of find and Owner Reaction
Sometimes, the extent of a data hack and the owner of the data are obvious, and the egress quickly resolved. But rare are these times. Most often, we demand days of investigation before we understand whats at bet or whos leaking the data.
Understanding a cut and whats at bet takes careful attention and time. Some affected parties deny the facts, disregarding our search or playing down its impact. We need to be thorough and make sure everything we find is correct and true.
We work hard on publishing accurate and trustworthy reports, to ensure everybody who reads them understands their seriousness.
In this case, due to the number of external origin points and sheer size of the data exposed, the owner of the database was unclear for a little while, but we suspected it belonged to Autoclerk for a number of reasons.
Meanwhile, we hold contacted the United States Computer emergency Readiness Team (CERT). We outlined the nature of the leak, and the government, military, and DHS data that was exposed. However, at the time of publishing, they make not replied to our email, ignoring our concerns.
September 13th: Database discovered
September 13th: US CERT contacted, no response
September 19th: US Embassy in Tel Aviv notified about the deficiency of CERT response
September 26th: contact made with representative of the Pentagon, who ensures the emerge will be dealt with
October 2nd: Database closed
Examples of Entries in the Database
The database was hosted by Amazon web Servers in the USA, containing over 179GB of data. Much of the data exposed originated from external travel and hospitality platforms using the database owners platform to interact with one another.
The client platforms affected include property management systems (PMS), booking engines, and data services within the tourism and hospitality industries.
Travel & Hospitality Platforms Affected
Autoclerk is a combined reservations system for hotels, accommodation providers, travel agencies and more. Its features include server- and cloud-based Property management Systems (PMS), a web booking engine, central Reservations Systems, and hotel PMS interfaces. For this reason, the database our team found was connected to myriad hotel and travel platforms.
Some examples of the external client platforms compromised by the leak include:
myHMS and CleanMeNext by Autoclerk
Synxis by Sabre Hospitality Solutions
While these platforms are mostly based in the US, the leak exposed users all over the world. Our team viewed many unencrypted login credentials to access accounts on additional systems external to the database, such as separate PMS platforms, guest ratings & retrospect systems, and more.
Personal & move data Exposed
As the platforms exposed in this leak focused on traveling and hospitality, the database contained 100,000s of booking reservations for guests and travelers. This meant the personal details of guests in accommodations using an affected platform were also exposed.
The information of people making reservations exposed includes:
Date of birth
Dates & costs of travel
Masked credit card details
On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database.
All this information is incredibly valuable for criminal hackers and online thieves.