Incident Of The Week: Hospitality Property Management Software Databases Expose Hundreds Of Thousands Of Travel Reservations

Elasticsearch Database Leaks Myriad Of Connected Platforms Via Public URL Access

Jeff Orr

PMS Data Breach

When you book personal or business travel, it is assumed that the collection and use of data is held in confidence and not shared. In our ever-connected society, where this travel-related data resides and how it moves is increasingly nebulous. An exposed database containing travel details for hundreds of thousands of personal, business and military personnel has been discovered to be publicly available.

The database vulnerability was discovered and reported by Noam Rotem and Ran Locar, security researchers for VPN review site vpnMentor. The amassed data, 179GB in all, contained personally identifiable information (PII) and travel details for thousands of people around the world.

Based on the contents of the exposed data, the owner of the databases is clearly in the hospitality and lodging reservation industry. The researchers believe the owner to be AutoClerk, Inc., which was recently purchased by Best Western Hotels and Resorts (BWHR) Group.

Breach By The Numbers

Type of Breach:

Publicly-accessible Elasticsearch database

Breach Dates:

Database discovered: September 13

Database access closed: October 2

Data Exposed:

The database contained hundreds of thousands of booking reservations for guests and travelers. This means that the personal details of guests in accommodations using an affected platform were also exposed. The information of people making reservations exposed included:

  • Full name
  • Date of birth
  • Home address
  • Phone number
  • Dates & costs of travel
  • Masked credit card details

On certain reservations, once a guest had checked in to a hotel, their check-in time and room number also became viewable on the database.

One of the platforms exposed in the database was a contractor for the U.S. military and government agencies included the Department of Homeland Security (DHS) that manages their travel arrangements. The leak exposed the PII of personnel and their travel arrangements, including their email address, phone numbers, and other sensitive personal data.


An Avoidable Situation

This data leak could have been avoided, according to the researchers, if the owner of the databases had followed some basic security measures. The Elasticsearch databases were hosted on Amazon’s AWS cloud platform. Regardless of the organization’s size, these steps remain the same:

  • Secure your servers
  • Implement proper access rules
  • Never leave a system that doesn’t require authentication open to the internet

See Related: Behind The Data Breach: Understanding Cloud Security And Misconfigurations

Exposed Data Not Limited To Single Owner Or Platform

The benefits of platform integration range from reducing maintenance costs to providing rapid data sharing to providing consistent functionality. One of AutoClerk’s benefits is providing a combined reservations system for hotels, accommodation providers, travel agencies and more. Its features include server- and cloud-based PMS, a web booking engine, Central Reservations Systems, and hotel PMS interfaces.

The database discovered by the security researchers was connected to a myriad of hotel and travel platforms. These external client platforms are also compromised in the data leak and include HAPI Cloud, myHMS and CleanMeNext by AutoClerk, OpenTravel and Synxis by Sabre Hospitality Solutions.

Cloud Migration Is Leading Trend for Hospitality PMS Market

The global Hospitality Property Management Software (PMS) market was valued at $762 million in 2018 and is expected to top $1 billion by the end of 2024, according to an October 2019 market research study by Hong Kong-based Global Info Research.

The developer market for hospitality PMS is led by Oracle and traditional on-premise solutions are rapidly migrating the cloud for its advantages of global reach. Asia-Pacific is the fastest growing region of the world though the United States is considered a trend-setter impacting development trends globally.

The Asian American Hotel Owners Association (AAHOA) supported the acquisition of AutoClerk by Best Western Hotels & Resorts (BWHR) citing the software developer as a company that has a proven track record and technical expertise that AAHOA members can trust.

The financial cost of a data breach is well-understood. Less known is how to quantify the damage to reputation and trust for customers, partners and investors. BWHR now finds itself assessing the risk for the organization associated with these exposed databases.

See Related: Cloud Security Market Report: Exploring The Right Enterprise Strategy

AutoClerk Took Cyber Security Very Seriously

Cyber awareness was not a foreign topic to AutoClerk. In a 2017 company blog post on getting staff to take cyber security seriously, it shared that “When it comes to cybersecurity, software company AutoClerk makes sure that its 25 employees know they are on the front lines of something akin to a life-and-death battle.” The post further goes on to quote former co-owner and Executive Vice President Charlotte Gibb. “Our customers are often targets of cyberattacks and so we have to be very alert as to how this might affect our customers. We take cybersecurity very seriously.” Gibb’s LinkedIn profile shows she left AutoClerk in August 2019 after nearly 30 years with the organization and around the time of the Best Western purchase.

Breach Notification And Next Steps

Once discovered, the Israeli-based researchers notified the U.S. Computer Emergency Readiness Team (CERT) on September 13. Government involvement was prioritized in this situation because the travel plans of government and military personnel were involved in the exposed data. The confluence is personal data, flight plans and hotel reservations (including real-time updates of check-in times and room numbers) creates nefarious possibilities for criminals to utilize the information without the travelers’ knowledge.

About a week later when no response had been received, the researchers contacted the U.S. Embassy in Tel Aviv. Pentagon officials followed up a week later and the database was closed to public access in early October.

This is not the first exposed database discovered by Rotem and Locar. The pair were first to disclose the Biostar biometrics data breach earlier this year.

See Related: Cloud Security: A CISO Guide