AutoClerk travel bookings are now publicly available

VpnMentor analysts have discovered an unsecured AutoClerk hotel system database on the Web. Data about tourists was in the public domain.

The repository contained information about thousands of hotel customers who made reservations around the world using various services. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

Potential data leakage affected individuals, businesses, and US government agencies.

According to information security experts, on September 13 of this year, they discovered an unprotected Elasticsearch database during a large-scale scan of open ports in a certain range of IP addresses.

“Open Elasticsearch database was discovered through vpnMentor’s web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within”, — notes Noam Rotem, head of the vpnMentor.

The repository contained 179 GB of information, which included critical personal information.
From the records could be learned:

1. name and surname of a person;
2. date of birth;
3. home address;
4. phone number;
5. dates of booking and price of a hotel room;
6. piece of bank card information.

In some cases, the database contained the time of arrival of the client at the hotel and his email address.

The storage hosted on Amazon Web Service (AWS) servers and, according to vpnMentor experts, belonged to AutoClerk. The database included data from hotel management services, in particular myHMS, CleanMeNext and SynXis, to which many travel agencies and hotels were connected. Experts noted that attackers could use this information for cyberattacks and real threats against hotel customers.

Read also: Cozy Bear hack group is still active and attacks European foreign ministries

The storage remained open until October 2, 2019 and was closed only after about it was reported to representatives of the US Department of Defense.

What is more uncommon, however, is that the US government and military figures have also been involved in this security incident.

It appears that one of the platforms connected to Autoclerk exposed in the breach is a contractor of the US government that deals with travel arrangements.

Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.

“The greatest risk posed by this leak is to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain. This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious.”