An exposed database has been leaking hundreds of thousands of personal data and travel information of users and hotel guests.
Researchers Noam Rotem and Ran Locar from vpnMentor, discovered that the database belonged to Autoclerk, a reservations management service owned by Best Western Hotels and Resorts Group.
In addition to the personal data of users and hotel guests being exposed, hotel and travel reservations were also leaked, including check-in times and room numbers.
The personal details of guests that were exposed included full names, date of birth, home addresses, phone numbers, dates, costs of travel and masket credit card details.
Most surprisingly, the leak exposed sensitive data belonging to members of the US government, military and Department of Homeland Security (DHS).
“Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future,” the researchers wrote.
“This represented a massive breach of security for the government agencies and departments impacted.”
Researchers were able to view logs for US army generals travelling to Moscow, Tel Aviv and other destinations, as well as view their email addresses and phone numbers.
The database contained over 179GB of data and was hosted by Amazon Web Servers in the US. The majority of the exposed data originated from external hospitality and travel platforms utilising the database owner’s platform to engage with one another.
All those that have been exposed are now vulnerable to attacks and exploitation by threat actors. Threat actors can create complex scams targeting the impacted businesses, as well as targeting hotel guests to extract more information such as their financial credentials. Additionally, the “exposed data was a goldmine for phishing campaigns.”
“The greatest risk posed by this leak was to the US government and military. Significant amounts of sensitive employee and military personnel data could now be in the public domain.
“This gives invaluable insight into the operations and activities of the US government and military personnel. The national security implications for the US government and military are wide-ranging and serious.”
The researchers have contacted the United States Computer Emergency Readiness Team (CERT) and are waiting on a response. The database is now closed.
The post #Privacy: Autoclerk database leaks U.S government personnel data appeared first on PrivSec Report.