Self-styled “hacktivist” researchers have this week revealed a truly huge data breach with implications for many major hotel chains around the globe. Rather than revealing financial or guest information, as is the norm for breaches involving the travel and hospitality industry, this time the data exposed was actually far more valuable: some 85.4GB of security audit logs.
What data has been exposed?
The breach itself was discovered by the same vpnMentor research team, led by Noam Rotem and Ran Locar, that discovered the 11 million photo leak I wrote about earlier today. vpnMentor reports that on May 27 the researchers discovered an unsecured server connected to hotel and resort management company the Pyramid Hotel Group. The researchers say that the leaked data includes, but is not limited to, the following which reads like a cybercriminal’s dream shopping list:
- Server API key and password
- Device names
- IP addresses of incoming connections to the system and geolocation
- Firewall and open ports information
- Malware alerts
- Restricted applications
- Login attempts
- Brute force attack detection
- Local computer name and addresses, including alerts of which of them has no antivirus installed
- Virus and malware detected on various machines
- Application errors
- Server names and OS details
- Information identifying cybersecurity policies
- Employees’ full names and usernames
What don’t we know?
Due to an open threat window of more than a month, it is unknown if anyone other than the good guys stumbled across it and stepped right through. What I do know is that if the security researchers could find it so easily, then the threat actors certainly could have as well. If they did, then access to the data contained may have allowed them to perform in-depth surveillance of any hotel network implicated in the exposure. This would enable them to “build an attack vector targeting the weakest links in the security chain,” according to the vpnMentor research team. It is of huge concern as it also means the attacker could, in effect, see what the hotel security team sees and learn from their attempted attack methodologies based upon the alerts returned by the system.
It’s also possible that the physical security of guests could be impacted by the data leak. “Our team found multiple devices that control hotel locking mechanisms, electronic in-room safes, and other physical security management systems,” vpnMentor explains, “in the wrong hands this drives home the very real danger here of when cybersecurity flaws threaten real-world security.”
What went wrong?
The researchers point to the fact that the data goes back to April 19 which could indicate that a system setup, reconfiguration or maintenance may have impacted the server to make it open and available to anyone that looked. The server in question was running an open source intrusion detection system called Wazuh. It was also leaking 85.4GB of security audit logs. Because Pyramid Hotel Group clients include some of the biggest hotel chains across many countries, and the data that was exposed relates to their operating systems, security policies, internal networks and cybersecurity event information, this becomes a potentially very serious incident indeed.
Sean Wright, application security specialist and Scottish chapter leader of the Open Web Application Security Project (OWASP), says that “this is absolute gold to attackers, that this was publicly available on the Internet makes it trivial to get that information.” Talking to Wright, it appears that the documentation for Wazuh mentions the need to secure the Elasticsearch installation, an open source database with full-text search. Misconfigurations of such elements are fairly common and have led to the Elasticsearch database being at the heart of recent data exposure reports such as that concerning the Tommy Hilfiger Japan website. “Throw an insecure database onto public infrastructure and you are asking for trouble,” Wright concludes.
What went right?
It’s not all bad news. According to the disclosure timeline revealed by vpnMentor, the breach was discovered on May 27 and the Pyramid Hotel Group notified on May 28. The vulnerability was fixed on May 29, so the response was a quick and efficient one. That comes as cold-comfort to Jake Olcott, the vice president of government affairs at BitSight. Olcott, who has previously served as legal advisor to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, says that while other sectors such as finance have been focused on measuring and monitoring third-party cyber risk, “the hospitality sector does not face the same regulatory pressures.” Incidents such as this need to act as a wake-up call to the entire travel and hospitality sector according to Olcott. “They’re going to have to take a closer look at these issues,” he warns, “or face reputational and economic damage…”
The Pyramid Hotel Group did not respond to my requests for comment before the time of publication. If comment is forthcoming I will update this story accordingly.