An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. It is said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing. vpnMentor was able to view records relating to the travel arrangements of government and military personnel — both past and future — who are connected to the US government, military, and Department of Homeland Security (DHS). Within the records, for example, were logs for US Army generals visiting Russia and Israel, among other countries.
Full story here: https://www.zdnet.com/
article/autoclerk-database- leaked-customer-government- and-military-personal-records/ Commenting on the story are the following cybersecurity professionals:
This is a typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Even Elastic themselves quote on one of their recent blogs on securing Elastiscsearch: “It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password”.
With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organizations. As datasets grow to these sizes, the data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.