Clicky

Major data leak on Best Western Hotels booking system exposes data related to Department of Homeland Security

The most affected of this vulnerability has been the United States Government.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

A team of researchers from vpnMentor discovered a significant security breach in the database belonging to Autoclerk, which resulted in the leakage of personal data from United States officials, as well as up to 1,000 civilian users registered in the online booking platform of Best Western Hotels and Resorts Group.

An important data leak

The vpnMentor team specializes in providing information to users about the different VPN services found online. However, the team that manages the site is made up of specialists in security, so they constantly research to protect users.

A recent investigation led by Noam Rotem and Ran Locar revealed that the Autoclerk database, recently acquired by Best Western Hotels and Resorts Group, presented a major flaw that allowed the leak of user data. These include the full name, date of birth, residence address, telephone numbers, emails, cost and date of hotel reservations, and credit card information.

Some of the hotels belonging to the group even note the date of arrival (check-in) of customers, which can be used by criminals as a tracking tool. In total, approximately 100,000 hotel reservations were on the platform.

Autoclerk is used by external client platforms to make hotel and travel reservations. Among these clients are HAPI Cloud, OpenTravel, myHMS, and Synxis. Although all are hosted in the USA, in many cases users and passwords found in other global databases were also revealed.

Problems for the United States government

Although the breach itself is already quite worrying for civilians, the most affected of this vulnerability has been the United States Government. It turns out that a contractor in charge of organizing trips for government, military, and even the DHS (Department of Homeland Security) personnel worked with Autoclerk. Within the affected database there is PII (personally identifying information), as well as the dates and places of travel of senior military officials.

vpnMentor already made contact with CERT (USA Computer Emergency Readiness Team) and the database was closed 3 weeks later – but the department failed to respond to any of the security researchers’ messages and concerns.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

Share this post

Reclaim The Net Logo

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.