A team of researchers from vpnMentor discovered a significant security breach in the database belonging to Autoclerk, which resulted in the leakage of personal data from United States officials, as well as up to 1,000 civilian users registered in the online booking platform of Best Western Hotels and Resorts Group.
An important data leak
The vpnMentor team specializes in providing information to users about the different VPN services found online. However, the team that manages the site is made up of specialists in security, so they constantly research to protect users.
A recent investigation led by Noam Rotem and Ran Locar revealed that the Autoclerk database, recently acquired by Best Western Hotels and Resorts Group, presented a major flaw that allowed the leak of user data. These include the full name, date of birth, residence address, telephone numbers, emails, cost and date of hotel reservations, and credit card information.
Some of the hotels belonging to the group even note the date of arrival (check-in) of customers, which can be used by criminals as a tracking tool. In total, approximately 100,000 hotel reservations were on the platform.
Autoclerk is used by external client platforms to make hotel and travel reservations. Among these clients are HAPI Cloud, OpenTravel, myHMS, and Synxis. Although all are hosted in the USA, in many cases users and passwords found in other global databases were also revealed.
Problems for the United States government
Although the breach itself is already quite worrying for civilians, the most affected of this vulnerability has been the United States Government. It turns out that a contractor in charge of organizing trips for government, military, and even the DHS (Department of Homeland Security) personnel worked with Autoclerk. Within the affected database there is PII (personally identifying information), as well as the dates and places of travel of senior military officials.
vpnMentor already made contact with CERT (USA Computer Emergency Readiness Team) and the database was closed 3 weeks later – but the department failed to respond to any of the security researchers' messages and concerns.