Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Databases Privacy The Military United States

Open Database Leaked 179GB In Customer, US Government, and Military Records (zdnet.com) 15

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. ZDNet reports: On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed.
Some of the records were logs for U.S. Army generals visiting Russia and Israel, the report says. In total, the AWS-hosted database contained over 179GB of data.
This discussion has been archived. No new comments can be posted.

Open Database Leaked 179GB In Customer, US Government, and Military Records

Comments Filter:
  • by functor0 ( 89014 ) on Wednesday October 23, 2019 @08:34PM (#59341276)
    I come from the old SQL school, where counts of records can easily be added together and the database schema can be queried. Are these new fangled databases incapable of doing this without looking at the actual data?
    • by rtb61 ( 674572 ) on Wednesday October 23, 2019 @08:50PM (#59341302) Homepage

      Ahh padawan I see you do not understand, here is the lesson lowest tender vs safety and security. When you do it as cheap as you can do not expect good outcomes they will not happen, they failed because profit was the primary focus and costs are the enemy of profit, the blood enemy, the enemy to be ruthlessly relentless attacked and of course, the fuck up, turned into someone else's problem after you have wandered off with the profits and bonuses. Accept zero change until the persons responsible for those actions and decisions face custodial sentences. Expect pretty rapid range after a CEO, board members and tech staff, receive years long custodial sentences, bloody overnight change, they start spending ten times as much on lobbyists getting laws changed. You don't thing they would eve give a fuck about actually security do you, only if there is a profit in it. Face the profit in security is breaking it and not making it, all the profits from security relate to hacking it and accessing the data, from corporate financial data for insider trading, to extortion material to stealing patentable ideas (corporations and even corrupt governments all play, steal ideas and claim them through illegal surveillance, pathetic liars, cheats and thieves being who they are, taking pride in being liars cheats and thieves.)

      The system has been fucked by psychopaths and will routinely fail.

      • Re: (Score:3, Insightful)

        by nsuccorso ( 41169 )
        Will whoever is responsible for the rtb61 bot account please shut it off, or at the very least replace it with something more coherent like, I dunno, ELIZA perhaps?
      • by bugs2squash ( 1132591 ) on Thursday October 24, 2019 @09:23AM (#59342340)
        They failed well before they chose a vendor, why these people feel that they should collect and store all this personal information is beyond me. Date of Birth seems an easy example. Until companies are sued into oblivion for leaking personal information they will continue to store it because, hey, seemed like it might come in useful for marketing...
  • by AndyKron ( 937105 ) on Wednesday October 23, 2019 @08:35PM (#59341278)
    And not one motherfucker is going to jail for this so it will continue to happen. Why even care anymore?
  • by AHuxley ( 892839 ) on Wednesday October 23, 2019 @09:13PM (#59341340) Journal
    US mil officers, contractors, special forces, police. Who is moving, on holiday, has their holiday canceled.
    In town for police work...
    Someone is watching the US mil/CIA/FBI the same way the UK counted German troop trains in WW1.
  • by CaptainDork ( 3678879 ) on Wednesday October 23, 2019 @09:14PM (#59341342)

    Access Welcome Security.

    The customers who buy a bucket don't bother to lock the doors. That's on the customers.

  • by Marlin Schwanke ( 3574769 ) on Thursday October 24, 2019 @12:04AM (#59341590)
    Why even bother to report this stuff anymore. We should all assume that every bit of our personal information is freely available online and get over it. The way business runs their IT it doesn't seem far off the mark. Business that amass and store consumer data in such a sloppy fashion should be shuttered. I won't be holding my breath.
  • by Volatile_Memory ( 140227 ) on Thursday October 24, 2019 @07:00AM (#59342026)

    I stayed at a Best Western in Georgia (US) once and they had the username and password for their reservation system written on a note taped next to the computer. I told them about it and the answer was "Well, even if someone took that they could only get into our local system; they wouldn't be able to do anything besides messing with our reservations." My suggestion that they at least move the password to a place where customers couldn't see it was met with a bored stare.

  • by neo-mkrey ( 948389 ) on Thursday October 24, 2019 @08:31AM (#59342204)
    select count(*) from customer_id;
  • Lets see. No actually user record count I saw so my normal fine calculation cant be applied.

    Lets assume this is all base 2 and not base 10. (Base 10 can be called ib)
    Lats say $2500 for every MB lost. Thats 22912MB. That works out to be $57,280,000

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...