Best Western’s Massive Data Leak: 179GB Amazon Database Open to All

The latest huge unsecured cloud storage find is in Autoclerk—a service owned by Best Western. “Hundreds of thousands” of hotel guest records containing sensitive personal data, all available on the internet with no authentication nor encryption.

And, to make it worse, Autoclerk was also used for U.S. government travel. So terrorists could have tracked the movements of strategic staff.

Here we go again. In today’s SB Blogwatch, we déjà vu anew.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Rollin’.


AWS Data Lake Leak

What’s the craic? Charlie Osborne reports—“Database leaked 179GB in customer, US government, and military records”:

 An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed. … Autoclerk, a service owned by Best Western Hotels and Resorts group … is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

It had no encryption or security barriers whatsoever. … Hundreds of thousands of booking reservations for guests were available to view … including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers.

It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements. … Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.

The United States Computer Emergency Readiness Team (CERT) was informed of the leak on September 13 but did not respond.

Ouch. Lindsey O’Donnell adds—“Data Leaked By Autoclerk”:

 Autoclerk … was acquired by the Best Western Hotel and Resorts Group in August. … Autoclerk software is used by third-party travel agencies [including] HAPI Cloud, OpenTravel and Synxis by Sabre Hospitality Solutions.

Beyond the privacy implications of hackers getting their hands on PII of customers, researchers said that the reservation details of customers in the database could provide attackers with valuable clues to piece together fraud or phishing attacks. … The database could also have physically dangerous implications for victims … especially for potentially high-profile government or military personnel.

Who found it? vpnMentor’s Noam Rotem and Ran Locar—“Travel Reservations Platform Leaks”:

 The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations … with millions of new records being added daily. … This represented a massive breach of security for the government agencies and departments impacted.

We have contacted the United States Computer Emergency Readiness Team (CERT). We outlined the nature of the leak, and the government, military, and DHS data that was exposed. However, at the time of publishing, they have not replied to our email, ignoring our concerns.

All this information is incredibly valuable for criminal hackers and online thieves. … For the US government, alarm bells should be ringing. … Criminals could pose as hotels or booking engines used by guests, crafting convincing emails to easily fool them. The effects could be devastating, both financially and personally.

This represents a major flaw in the data security apparatus around such sensitive information. Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices.

Ain’t that the truth? e-sushi—@originalesushi—feels the shockwave:

 You’ve probably seen it in the movies: that short, silent moment between the detonation of a nuke, and the blast that sets in to wipe you off this planet.

That’s how job security must feel when you were in charge of the security of that 179GB database.

Time to prosecute the CEO? rtb61 curbs your enthusiasm:

 Ahh padawan I see you do not understand, here is the lesson: lowest tender vs. safety and security. When you do it as cheap as you can, do not expect good outcomes—they will not happen.

Profit was the primary focus and costs are the enemy of profit, the blood enemy, the enemy to be ruthlessly, relentless attacked. And of course, the **** up turned into someone else’s problem after you have wandered off with the profits and bonuses.

[But] expect pretty rapid change after a CEO, board members and tech staff, receive years long custodial sentences. … You don’t think they would ever give a **** about actual security do you? Only if there is a profit in it.

The system has been ****ed by psychopaths and will routinely fail.

A slightly less sweary Dean of Pentacles—@da_terry—gets all wistful:

 Remember the 90s, when things needed to be hacked? Today, everything is just laying around on the internet.

I know, right?  Marlin Schwanke asks, “Why Even Bother Reporting Breaches?”:

 Why even bother to report this stuff anymore? We should all assume that every bit of our personal information is freely available online and get over it. The way business runs their IT it doesn’t seem far off the mark.

Business that amass and store consumer data in such a sloppy fashion should be shuttered. I won’t be holding my breath.

And Doctor Syntax is IN:

 You’d think by now that hotel chains would have learned that
(a) they really need to do a thorough annual audit of their own security, and
(b) do the same in spades for any business they’re thinking of buying.

It’s going to take a few more big fines and lawsuits, big enough for the board and investors to notice. Even then it seems doubtful that they’ll manage to learn from the misfortunes of others.

Meanwhile, Volatile_Memory randomly remembers:

 I stayed at a Best Western in Georgia (US) once and they had the username and password for their reservation system written on a note taped next to the computer. I told them about it and … was met with a bored stare.

And Finally:

This is how we roll

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Raysonho (cc:0)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi