US Government, Military, and Department of Homeland Security (DHS) data exposed from the Elasticsearch database that belongs to the reservations management system Autoclerk.
The leak exposed thousands of users and hotel guests data across the globe, the breach also impacted military security agencies.
Autoclerk is the contractor who manages the travel arrangements of the US government and military personnel, as well as independent contractors. The Autoclerk was recently acquired by Best Western Hotel & Resorts Group the biggest hotel chain in the world.
Data Exposed in Leak
Researchers from vpnMentor discovered the unsecured Elasticsearch database hosted by Amazon Web Servers in the USA and it contains over 179GB of data.
The database contains 100,000s of booking reservations for guests and travelers. Following are the personal details of users exposed
- Full name
- Date of birth
- Home address
- Phone number
- Dates & costs of travel
- Masked credit card details
In some hotels, even the check-in time and room number are also visible.
The travel, hospitality, and personal data were exposed, the leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations.
“Before adopting software or apps to manage an area of your business, make sure they are following data security best practices. If processing external data, such as a hotel guest or members of the public, you need to ensure this data is protected from hackers.”
By having personal details, attackers can extract more information, such as financial account details or sensitive passwords. Attackers may launch targeted phishing campaigns to trick victims into providing passwords, credit card details, or embed malicious software on a device.