Open Database Leaked 179GB In Customer, US Government, and Military Records

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. ZDNet reports: On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. Some of the records were logs for U.S. Army generals visiting Russia and Israel, the report says. In total, the AWS-hosted database contained over 179GB of data.

Re:

[SirKveldulv]

Who ?

Why can't they just count the records?

[functor0]

I come from the old SQL school, where counts of records can easily be added together and the database schema can be queried. Are these new fangled databases incapable of doing this without looking at the actual data?

Re:Why can't they just count the records?

[rtb61]

Ahh padawan I see you do not understand, here is the lesson lowest tender vs safety and security. When you do it as cheap as you can do not expect good outcomes they will not happen, they failed because profit was the primary focus and costs are the enemy of profit, the blood enemy, the enemy to be ruthlessly relentless attacked and of course, the fuck up, turned into someone else's problem after you have wandered off with the profits and bonuses. Accept zero change until the persons responsible for those actions and decisions face custodial sentences. Expect pretty rapid range after a CEO, board members and tech staff, receive years long custodial sentences, bloody overnight change, they start spending ten times as much on lobbyists getting laws changed. You don't thing they would eve give a fuck about actually security do you, only if there is a profit in it. Face the profit in security is breaking it and not making it, all the profits from security relate to hacking it and accessing the data, from corporate financial data for insider trading, to extortion material to stealing patentable ideas (corporations and even corrupt governments all play, steal ideas and claim them through illegal surveillance, pathetic liars, cheats and thieves being who they are, taking pride in being liars cheats and thieves.)

The system has been fucked by psychopaths and will routinely fail.

Re:

[nsuccorso]

Will whoever is responsible for the rtb61 bot account please shut it off, or at the very least replace it with something more coherent like, I dunno, ELIZA perhaps?

Re:Why can't they just count the records?

[bugs2squash]

They failed well before they chose a vendor, why these people feel that they should collect and store all this personal information is beyond me. Date of Birth seems an easy example. Until companies are sued into oblivion for leaking personal information they will continue to store it because, hey, seemed like it might come in useful for marketing...

Why even care anymore?

[AndyKron]

And not one motherfucker is going to jail for this so it will continue to happen. Why even care anymore?

Count the movements of

[AHuxley]

US mil officers, contractors, special forces, police. Who is moving, on holiday, has their holiday canceled.
In town for police work...
Someone is watching the US mil/CIA/FBI the same way the UK counted German troop trains in WW1.

AWS ...

[CaptainDork]

Access Welcome Security.

The customers who buy a bucket don't bother to lock the doors. That's on the customers.

Why Even Bother Reporting Breaches

[Marlin Schwanke]

Why even bother to report this stuff anymore. We should all assume that every bit of our personal information is freely available online and get over it. The way business runs their IT it doesn't seem far off the mark. Business that amass and store consumer data in such a sloppy fashion should be shuttered. I won't be holding my breath.

Password taped to desk?

[Volatile_Memory]

I stayed at a Best Western in Georgia (US) once and they had the username and password for their reservation system written on a note taped next to the computer. I told them about it and the answer was "Well, even if someone took that they could only get into our local system; they wouldn't be able to do anything besides messing with our reservations." My suggestion that they at least move the password to a place where customers couldn't see it was met with a bored stare.

They don't know how many?

[neo-mkrey]

select count(*) from customer_id;

Hmm. Not number of records this time.

[DarkRookie2]

Lets see. No actually user record count I saw so my normal fine calculation cant be applied.

Lets assume this is all base 2 and not base 10. (Base 10 can be called ib)
Lats say $2500 for every MB lost. Thats 22912MB. That works out to be $57,280,000