Travelers' Sensitive Information Exposed

By Sara Mosqueda

24 October 2019

A recent data breach compromised sensitive personal data on thousands of travelers, including U.S. government personnel. Researchers based in Israel uncovered a 179-gigabyte breach from a database owned by Autoclerk, a vendor of server and cloud-based property management software.

The exposed data included sensitive personal information of users and hotel guests, including names, birth dates, check-in times, room numbers, email addresses, phone numbers, flight information, and more, according to the BBC.

The researchers—vpnMentor, Noam Rotem, and Ran Locar—discovered the breach while working on a web mapping project to detect any weak points. During the project, they came across an unsecured and unencrypted Elasticsearch database, which maintained information from third-party travel and hospitality sites. The database was owned by Autoclerk, whose parent company is Best Western Hotel & Resorts Group. It purchased the software vendor in August 2019.

Because one of the systems connected to the Elasticsearch database was run by a U.S. government contractor, some of the information accessible from the breach included data on U.S. military personnel and U.S. Department of Homeland Security employees.

The database was shut down on 2 October 2019. According to vpnMentor, the researchers informed the U.S. Computer Emergency Readiness Team (CERT) about the vulnerability on 13 September 2019. When they saw that the database was still publically accessible, they informed the U.S. embassy in Tel Aviv on 19 September 2019 and later coordinated with the U.S. Department of Defense.

In an interview with Security Management for a separate article, Paul Moxness, former CSO of Radisson Hotel Group and a founding member of the OSAC Hotel Security Working Group, noted that hospitality organizations need to start focusing more on securing the information of their guests and staff, especially since such private data can be as valuable and financial information.

"The whole Internet and access to information, and the way information flows around, that is ... (it's) a challenge to make sure we protect the privacy of our guests and staff and businesses. It adds a whole element of threat to the hotel environment," he says.

The U.S. Cybersecurity and Infrastructure Agency (CISA) recommends reporting information technology vulnerabilities to CERT through the site www.us-cert.gov/report. For more details on reporting industrial control systems security issues, visit CISA's about page or call 1-888-282-0870.