2 min read

Sensitive US government and military travel details left exposed online

Graham CLULEY

October 25, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Sensitive US government and military travel details left exposed online

Significant amounts of sensitive data about employees of the US government military personnel data could now be in the public domain following its exposure in a data leak.

Israeli security researchers Noam Rotem and Ran Locar discovered 179 GB of data on an unsecured AWS server, run – they believe – by a travel services firm.

The database is thought to belong to AutoClerk, a reservation management system recently acquired by Best Western Hotels and Resorts Group, and revealed the sensitive personal details of thousands of people, including their hotel and travel reservations.

Data exposed by the unsecured web bucket, which could be accessed by anybody without the use of any passwords, included:

  • Full name
  • Date of birth
  • Home address
  • Phone number
  • Dates & costs of travel
  • Partial credit card details

In some cases the data even included logs for US Army generals travelling to such destinations as Moscow and Tel Aviv, as well as even individuals’ hotel room numbers and check-in times.

The researchers also note that they were able to view “many unencrypted login credentials to access accounts on additional systems external to the database”, opening the possibility that other hotel and accommodation reservation systems could also be at risk of compromise by hackers.

In its blog post announcing the researchers’ discovery, VPNMentor described the incident as “a massive breach of security for the government agencies and departments impacted.”

The researchers explained how it was able to access the sensitive data:

“Whoever owns the database in question uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.”

Uncertain as to who the database belonged to, although suspecting it was AutoClerk, the researchers first contacted the United States Computer Emergency Readiness Team (CERT) without success. Ultimately it was only after reaching out to the US embassy in Tel Aviv, and making contact with the Department of Defense at the Pentagon that the unsecured database was finally closed – weeks after its initial discovery.

What’s particularly frustrating is that data leaks like this are so easy to prevent. A series of very public data breaches from unsecured web servers – some even previously from defence contractors – could have been avoided if the database owners had configured their security properly.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read