Led by Noam Rotem and Ran Locar, vpnMentor�s research team discovered a drudge in a database belonging to Autoclerk, a reservations management system owned by best Western Hotels and Resorts Group. Connected to various travel and hospitality-related platforms online, the exposed database posed a risk to many parties.
A few weeks prior to our team discovering the leak, Autoclerk was bought by best Western Hotel & Resorts Group, potentially exposing one of the biggest hotel chains in the world.
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and traveling reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.
The most surprising victim of this leak wasn�t an individual or company: it was the US government, military, and Department of homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.
This represented a massive hack of security for the government agencies and departments impacted.
Timeline of uncovering and possessor Reaction
Sometimes, the extent of a data nag and the owner of the data are obvious, and the egress quickly resolved. But rare are these times. Most often, we need days of investigation before we realize what�s at stake or who�s leaking the data.
Understanding a cut and what�s at stake takes careful attention and time. Some affected parties refuse the facts, disregarding our research or playing down its impact. We demand to be thorough and work sure everything we find is correct and true.
We act hard on publishing accurate and trustworthy reports, to see everybody who reads them understands their seriousness.
In this case, due to the number of external origin points and sheer size of the data exposed, the possessor of the database was unclear for a little while, but we suspected it belonged to Autoclerk for a number of reasons.
Meanwhile, we have contacted the United States Computer exigency Readiness Team (CERT). We outlined the nature of the leak, and the government, military, and DHS data that was exposed. However, at the time of publishing, they experience not replied to our email, ignoring our concerns.
September 13th: Database discovered
September 13th: US CERT contacted, no response
September 19th: US Embassy in Tel Aviv notified about the lack of CERT response
September 26th: contact made with example of the Pentagon, who ensures the issuing will be dealt with
October 2nd: Database closed
Examples of Entries in the Database
The database was hosted by Amazon web Servers in the USA, containing over 179GB of data. Much of the data exposed originated from external trip and hospitality platforms using the database owner�s platform to interact with one another.
The node platforms affected include property management systems (PMS), booking engines, and data services within the tourism and hospitality industries.
Travel & Hospitality Platforms Affected
Autoclerk is a combined reservations system for hotels, accommodation providers, traveling agencies and more. Its features include server- and cloud-based dimension Management Systems (PMS), a web booking engine, central Reservations Systems, and hotel PMS interfaces. For this reason, the database our team found was connected to myriad hotel and trip platforms.
Some examples of the external client platforms compromised by the leak include:
HAPI Cloud
OpenTravel
myHMS and CleanMeNext by Autoclerk
Synxis by Sabre Hospitality Solutions
While these platforms are mostly based in the US, the leak exposed users all over the world. Our team viewed many unencrypted login credentials to access accounts on additional systems external to the database, such as separate PMS platforms, guest ratings & survey systems, and more.
Personal & traveling Data Exposed
As the platforms exposed in this leak focused on move and hospitality, the database contained 100,000s of booking reservations for guests and travelers. This meant the personal details of guests in accommodations using an affected platform were also exposed.
The info of people qualification reservations exposed includes:
Full name
Date of birth
Home address
Phone number
Dates & costs of travel
Masked citation card details
On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database.
All this information is incredibly valuable for felon hackers and online thieves.
