Major data leak on Best Western Hotels booking system exposes data related to Department of Homeland Security


Load web pages faster. Stay private. Block ads. Get Brave For Free

A team of researchers from vpnMentor discovered a significant security breach in the database belonging to Autoclerk, which resulted in the leakage of personal data from United States officials, as well as up to 1,000 civilian users registered in the online booking platform of Best Western Hotels and Resorts Group.

An important data leak

The vpnMentor team specializes in providing information to users about the different VPN services found online. However, the team that manages the site is made up of specialists in security, so they constantly research to protect users.

A recent investigation led by Noam Rotem and Ran Locar revealed that the Autoclerk database, recently acquired by Best Western Hotels and Resorts Group, presented a major flaw that allowed the leak of user data. These include the full name, date of birth, residence address, telephone numbers, emails, cost and date of hotel reservations, and credit card information.

Some of the hotels belonging to the group even note the date of arrival (check-in) of customers, which can be used by criminals as a tracking tool. In total, approximately 100,000 hotel reservations were on the platform.

Start and monetize your own website:
In 30 minutes or less. Build your part of the internet. Today: Free domain name for Reclaim readers. Learn how.

Autoclerk is used by external client platforms to make hotel and travel reservations. Among these clients are HAPI Cloud, OpenTravel, myHMS, and Synxis. Although all are hosted in the USA, in many cases users and passwords found in other global databases were also revealed.

Problems for the United States government

Although the breach itself is already quite worrying for civilians, the most affected of this vulnerability has been the United States Government. It turns out that a contractor in charge of organizing trips for government, military, and even the DHS (Department of Homeland Security) personnel worked with Autoclerk. Within the affected database there is PII (personally identifying information), as well as the dates and places of travel of senior military officials.

vpnMentor already made contact with CERT (USA Computer Emergency Readiness Team) and the database was closed 3 weeks later – but the department failed to respond to any of the security researchers' messages and concerns.

Use The Fastest Browser That Doesn’t Track You

Blocks ads. Blocks tracking. Keeps you and your data private. Free and open source. Up to 8 times faster page loads than Chrome and Safari. Join the Brave revolution today.

Use Brave To Browse The Web Faster, In Private


Fabrizio Bulleri
Fabrizio Bulleri is a tech reporter with several years of experience covering the Asian tech market. He likes traveling and keeping up with everything digital-related. [email protected]