Travel database exposed PII on US government employees

A property management company owned by hotel chain Best Western has exposed 179 GB of sensitive travel information on thousands of travelers, researchers said this week.

The breach, which exposed the users of many other travel services, also reportedly put sensitive US government employees at risk.

Researchers at vpnMentor, Noam Rotem and Ran Locar, were conducting a large web mapping project, port scanning IP blocks to find vulnerabilities. In a description of the breach, they explained how they stumbled upon an Elasticsearch database running on an AWS instance. The database was completely unsecured and unencrypted, they said.

After some digging, the researchers found that the database belonged to Autoclerk, which sells server-and cloud-based property management software. In August 2019, Best Western Hotel & Resorts Group bought the company to add Autoclerk’s software to its own technology stack, making it easier for its property management systems to talk to the central reservation systems used by travel agents.

The database contained information from third-party travel and hospitality platforms that used Autoclerk to communicate with each other and exchange data. 

The researchers said:

The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.

Some of those travelers were employees of the US government, including military personnel and Department of Homeland Security (DHS) staff. They were exposed because one of the systems that connected to the database was operated by a contractor to the US government, military, and DHS. The researchers added:

Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.

Attackers could use this data to phish hotel guests and extract more information from them, said the researchers, drawing comparisons with the Russian spearphishing campaign against the Democratic National Committee.

The data exposure could also have posed more immediate threats: 

This leak also endangered the safety of personnel by giving live information about their travel arrangements, right down to their hotel room number.

The researchers told US CERT about this on 13 September 2019, but it ignored them. So they told the US embassy in Tel Aviv (where the researchers are based) on 19 September. Finally, on 26 September, they were put in touch with the Pentagon, and the database was closed down on 2 October.

Adapting an Elasticsearch server so that anyone can access it from the public internet is an intentional step. The database only binds to local addresses by default, meaning that you have to deliberately configure it to listen for requests from public IP addresses. Even if you do that, AWS includes several security features out of the box, such as identity and access management, encryption of data at rest, and integration with its own security groups.

Elasticsearch also rolled several security features into the free version of its platform in May, including TLS for encrypted communications, and role-based access control.

Neither Autoclerk nor its owners responded to our requests for comment yesterday.