Best Western Hotels booking management system leaked the personal data of all its customers

The team of web application security specialists at vpnMentor has discovered a massive breach in a database operated by Autoclerk, a reservation management system owned by Best Western Hotels & Resorts Group. Because this database is connected to some platforms related to travel and hospitality services, this could be a real danger to thousands of users.

During the incident, the personal data of the hotel group’s guests have been displayed, as well as a detailed description of their reservations and itineraries. In the worst cases, check-ins included booking times and even the guest’s room number.

According to web application security experts, among the most notable customers of the reservation company are the US Army, in addition to the Department of Homeland Security (DHS). “We found highly sensitive data that exposes US military personnel and security agencies, including details of past and future travel,” the experts say.

The compromised information (a little over 179 GB) was hosted on Amazon Web Services; according to the reports, this database was integrated from external travel platforms that used the database owner’s platform to interact and contrast travel information. Affected customer platforms include property management systems (PMS), booking engines and data services within the tourism and hospitality industries.

As reported the compromised database contains at least 100 thousand booking records, including personal details such as:

  • Full name
  • Date of birth
  • Address
  • Phone number
  • Travel dates and costs
  • Payment card details (protected)

Moreover, the security firm revealed that the compromised information of government officials and members of the military was operated by a third-party service, responsible for managing the travel of these officials. Among the records presented were details on the travels of some US Army generals to countries such as Russia, Israel, among others. Email addresses, phone numbers, among other data, were also exposed.

This is a really serious issue, as web application security experts mention that any organized hacker group could access this information to deploy complex fraud campaigns against exposed users, including members of the US military and intelligence officials.

As for the operating company of the exposed database, this incident could also be harmful. By analyzing the information exposed, a hacker with sufficient knowledge could learn important details about these reservation management systems, which poses a security risk in the future for the affected company and other similar services.

As a protective measure, the web application security experts from the International Institute of Cyber Security (IICS) mentioned that the affected company must implement better protection on its servers, enforce stricter access rules, in addition to not exposing a system that requires authentication to the public Internet.