The personal information of online hotel booking customers at Best Western International, Inc. was compromised in October as the result of a cloud storage-related data breach.
According to ReclaimtheNet.org, up to 1,000 Best Western customers' information belonging to the online hotel booking service Autoclerk was found to have been released, although the service handles customers databases for other hotel's reservation accounts. Autoclerk was created by Best Western, which currently owns the service.
Information for U.S. military officials included in breach
Information found in the database also included that of high-ranking U.S. government officials, including those in the military and Department of Homeland Security, The Silicon Angle reported. Government employee information was present because the workers' trips were booked through a contractor using Autoclerk, according to ReclaimtheNet.org.
Along with their full name, date of birth and address, other types of customer information found in the database leak included phone numbers and hotel reservation booking and credit card information.
Other Autoclerk clients who use the service to store their customers' reservation information include OpenTravel, myHMS and Synxis, per ReclaimtheNet.
The Silicon Angle claims that the 179-gigabyte customer database was discovered online in early September by security researchers at vpnMentor and was not officially secured until the start of October. The primary cause of the breach was determined to be a misconfigured cloud in which the database had been left public when stored in the cloud service without any security barriers.
"Our team viewed logs for U.S. army generals traveling to Moscow, Tel Aviv and many more destinations," the vpnMentor researchers noted. "We also found their email address, phone numbers and other sensitive personal data."
The researchers initially reached out to the Department of Homeland Security's U.S. Computer Emergency Readiness Team and the U.S. Embassy in Tel Aviv, but did not receive a response from either until September 26, when the Pentagon confirmed it would "deal with" the issue, according to The Silicon Angle.
"The self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, resulting in devastating data leaks, such as this incident," DivvyCloud Corp. CTO Chris DeRamus told Silicon Angle in an October 2019 article.