A vpnMentor’s research team discovered a breach in a database belonging to Autoclerk, a reservations management system owned by Best Western Hotels and Resorts Group. A victim of this leak was the U.S. government, military and Department of Homeland Security, says the research.
A few weeks prior to the research team discovering the leak, Autoclerk was bought by Best Western Hotel & Resorts Group, potentially exposing one of the biggest hotel chains in the world.
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected thousands of people across the globe, with millions of new records being added daily, says the report. The leak exposed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.
Examples of Entries in the Database
The database was hosted by Amazon Web Servers in the USA, containing over 179GB of data. Much of the data exposed originated from external travel and hospitality platforms using the database owner’s platform to interact with one another. The client platforms affected include property management systems (PMS), booking engines and data services within the tourism and hospitality industries, says the report.
Personal & Travel Data Exposed
As the platforms exposed in this leak focused on travel and hospitality, the database contained 100,000s of booking reservations for guests and travelers.
The information of people making reservations exposed includes:
- Full name
- Date of birth
- Home address
- Phone number
- Dates & costs of travel
- Masked credit card details
On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database. All this information is incredibly valuable for criminal hackers and online thieves, says the report.
US Government Data
One of the platforms exposed in the database was a contractor of the US government, military and DHS. The contractor manages the travel arrangements of U.S. government and military personnel, as well as independent contractors working with American defense and security agencies.
The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. The research team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv and many more destinations. They also found their email address, phone numbers and other sensitive personal data.
To find out more, visit vpnMentor's website.