Updated Internal hotel biz documents and guest bookings were exposed to everyone on the public internet from an unsecured database managed by tech provider AavGo, it is claimed.
Silicon-Valley-based AavGo hosts management software in the cloud that can be used by clients to juggle reservations and operations, from sorting out cleaning and repair jobs to room service.
We learned today that Daniel Brown, of infosec outfit WizCase, discovered one of AavGo's ElasticSearch installations was set up to give anyone who found it access to its contents, and the server was inadvertently left facing the public internet.
As such, according to WizCase, anyone stumbling across the system on the 'net would have been able to peruse and download records – including details of people's room reservations – stored on behalf of hotels using AavGo's technology. The ElasticSearch silo was removed from public view after WizCase alerted AavGo this month.
"The reason this happened is that there’s an ElasticSearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the ElasticSearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information," said WizCase's Chase Williams in a write-up on Tuesday.
"Servers with ElasticSearch installed on them aren’t meant to be open to the internet – this engine was developed for use in closed internal networks. That’s why it doesn’t even have password authentication activated by default."
Just what was exposed, and how much of it, are points of contention between AavGo and WizCase.
AavGo told The Register the exposed database did not contain any personal info beyond names, phone numbers, and email addresses. The biz also insisted no payment card details were stored, and nobody other than Brown is believed to have spotted the server before it was secured.
Meanwhile, WizCase claimed that among the eight million entries it found within the leaky database were collections of reservation details (how long people stayed in rooms and when, how many people stayed per room, their personal details, check-in information, payment type, and so on) as well as corporate information (such as per-room revenues, work orders, and cleaning crew information.)
Marriott's got 99 million problems and the ICO's one: Starwood hack mega-fine looms overREAD MORE
"Over eight million entries are available in this data leak, with a combination of company, client, and guest details included," said Williams. The databases were, we're told, managed on behalf of Guestline Property Management (see update below), and Equinox Solutions, which in turn provide online management tools to hoteliers. Think of AavGo as a software-as-a-service backend provider, with other suppliers building services on top of it that are then used by hotels.
AavGo, meanwhile, claimed the number of customers actually exposed by the misconfigured server was far lower: apparently as low as just 300 rooms. And it claimed no one other than WizCase staff accessed the database because, er, it saw no automated siphoning off its content.
"Based on our investigation we have determined there was no data breach; however, we did find a potential vulnerability. We have taken all steps to close the vulnerability," AavGo said in a statement to El Reg.
"We do not take any payment information from any of our customers or our partners and we don't process any payments for any guests. The scope of this vulnerability was limited to only 300 hotel rooms' data – name, address, phone number, email for the guest. No other assets had any PII [personally identifiable information] data. Based on our detailed IP investigation, we have not seen any scripted events in our logs, allowing us to reaffirm that there was no data breach."
Chalk this up as yet another almost-daily embarrassing database exposure caused by a poorly configured internet-facing server.
While locking off sensitive information from public access seems like a no-brainer, it's all too easy for developers to spin up cloud instances, misconfigure them, and leave information laying around on the web for anyone with a Shodan.io account, or access to a similar search tool, to find. Folks, at the very least, firewall off your databases from the outside world. ®
Updated to add
A spokesperson for Guestline told us none of its guest information was revealed in AavGo's ElasticSearch blunder, because it was merely testing out the provider's test in a trial: "We were trialing a small part of AavGo's app – Housekeeping back office – in two pilot hotels. Our customer base was and is not affected."
Meanwhile, a spokesperson for AavGo has been in touch to stress that information on "300 customer rooms" was leaked via the unsecured server, and that of those 8 million entries in the database, "99.999% was system generated logs."