A vast leak of a database belonging to reservations management system Autoclerk exposing 179GB of personal data, including those belonging to US military, government and Department of Homeland Security personnel, has been condemned by the cybersecurity industry.
The Autoclerk leak, which was discovered by researchers at vpnMentor, saw an Elasticsearch database hosted by AWS left open and accessible online without password protection.
Owned by Autoclerk, the reservations management service of Best Western Hotels and Resorts Group, the database contained hundreds of thousands of reservations, with data including full names, dates of births, home addresses, phone numbers and masked credit card details. It also included travel dates, check-in times, room numbers and trip costs.
While this is by no means the first breach involving an unsecured database, the Autoclerk leak has caught attention because one of the platforms Autoclerk supplies is a contractor responsible for booking travel for the US government and military.
This means that the exposure of some of the personal data has potential national security implications.
Autoclerk leak condemned by cybersecurity industry
The incident is the latest in a string of database leaks, many involving the travel industry, including a breach of Marriott subsidiary Starwood that saw the hotel giant fined £99m by UK regulators and a breach of Teletext Holidays customer call recordings discovered by Verdict.
“Leaving a database publicly available without any security barriers in place is one of the most common yet preventable causes of data breaches in the cloud,” said Chris DeRamus, CTO of DivvyCloud.
Such leaks are generally the result of poor security practices, as is the case with the Autoclerk leak.
“This is a typical example of a misconfigured system. It should have never been possible for anyone on the internet, especially without authentication, to access the data stored in the database,” said Hugo van den Toorn, offensive security manager at Outpost24.
“Data exposed to the internet with no authentication continues to be a serious problem,” added Jonathan Knudsen, senior security strategist at Synopsys.
“This incident highlights the need for basic security awareness and education across all industries. Even a basic level of understanding would have made Autoclerk’s deployment team realise the extreme risk of placing so much sensitive information on an unprotected server.”
The problem with cloud security
Incidents involving cloud-based servers continue to be a problem in part because setting up systems on the cloud is extremely simple – requiring virtually no expertise.
“The self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, resulting in devastating data leaks, such as this incident with Autoclerk,” said DeRamus.
While this makes access simple, it means security is often not considered.
“With the countless possibilities of ‘quickly deploying a system in the cloud’, security is – still – often overlooked by organisations,” said van den Toorn.
“As datasets grow to these sizes, the data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.”
This situation has prompted cybersecurity experts to call for a greater focus on security within organisations – not just within IT teams, but throughout entire companies.
“Our thirst for functionality has far outpaced our understanding of the security implications of the systems we’re building and the decisions we’re making,” said Knudsen.
“All organisations need to take a systematic approach to understanding and working with security to minimise risk. Savvy executive teams understand the seriousness of this threat and work with their security teams to inject a culture of security throughout their entire organisations.”
The implications of the Autoclerk leak
While it is not clear whether the database has been accessed by malicious actors, the implications of the exposure are potentially significant, particularly considering the involvement of government and military personnel’s data.
“Although there has yet to be any evidence of misuse, 179GB of highly sensitive and personally identifiable information was exposed for at least three weeks, giving cybercriminals plenty of time to find the open database and harvest data to then sell on the dark web or leverage to launch future attacks against the individuals impacted,” said DeRamus.
“It is especially alarming that the database contained information on US military and government officials.”