Autoclerk Breach Impacts Hotel Guests and Military Personnel

According to a blog post on vpnMentor, a research team, led by Noam Rotem and Ran Locar, is reporting a breach in a database owned by Autoclerk, the property management system recently acquired by Best Western. The database, hosted by AWS, contained over 179GB of data.

The vpnMentor research team discovered this breach in as part of a huge web mapping project. During this project, hackers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked. 

The blog details that an open database exposed records containing sensitive data of hotel guests as well as U.S. military personnel and officials. One of the platforms connected to Autoclerk that was also exposed in the breach, is a contractor of the U.S. government that was involved with travel arrangements. The report states, “The leak exposed the personally identifying information (PII) of personnel and their travel arrangements.”

As outlined in the blog, Autoclerk facilitates communication between different hospitality platforms. A substantial portion of the data originated from external platforms.   

“As the platforms exposed in this leak focused on travel and hospitality, the database contained 100,000s of booking reservations for guests and travelers. This meant the personal details of guests in accommodations using an affected platform were also exposed.”

The data exposed included: full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details. 

At the time of writing it has not been possible to track the overall owner of the database due to the "number of external origin points and sheer size of the data exposed," the team says.