Researchers have discovered another unsecured Elasticsearch database, this time exposing data on thousands of travelers including US military and government employees.
The research team at vpnMentor discovered the online database hosted on AWS infrastructure, on September 13. It belonged to Autoclerk, a reservations management system now owned by hotel chain Best Western Hotels and Resorts Group.
The database contained over 179GB of data, often sourced from third party travel and hospitality platforms including OpenTravel, HAPI Cloud, and Synxis. Among these were hundreds of thousands of bookings and reservations, exposing personal details such as: full name, date of birth, home address, phone number, dates & costs of travel, and masked credit card details.
For ordinary travelers caught in leaks like this, there is the risk of follow-on phishing attacks and identify fraud attempts, as well as a chance that attackers could target their home while they are away.
However, there are even more concerning national security implications for the government personnel data exposed in the incident.
“One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies,” explained vpnMentor.
“The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.”
The firm urged US government officials to urgently vet any third-party contractors to ensure they follow strict data security protocols when handling sensitive information of this kind.
The data in question was left exposed for nearly a month, until the database was closed on October 2.
Cloud database misconfigurations have become an Achilles’ heel for many organization, argued DivvyCloud CTO, Chris DeRamus.
“Companies must adopt robust security strategies that are appropriate and effective in the cloud, at the same time as adoption of cloud services — not weeks, months or years later,” he added.
“Automated cloud security solutions can detect misconfigurations such as an unprotected database in real time and trigger immediate remediation, so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”