- The database included booking information, guest details, complaints from guests, invoices, work orders, memos and messages between staff, images of hotel rooms, and images of broken equipment.
- The database also included hotel admin login details including the username and password for admin panel, reservation system, and internal database.
A security researcher from Wizcase, Daniel Brown uncovered an Elasticsearch database server that was left publicly available without any password protection. The database belongs to a hotel management provider AavGo.
What was exposed?
The leaky database contained 8 million entries of company data, client information, and guest details. The exposed data includes,
- Booking information, complaints from guests, invoices, work orders, memos and messages between staff, images of hotel rooms, and images of broken equipment.
- The personal information of guests including their names, dates of birth, phone numbers, email addresses, addresses, marital status, number of children, pets, food preference, login information, and payment type.
- Hotel admin login details including the username and password for admin panel, reservation system, and internal database.
“Hotel guest data is also made available, and provides enough details that a hacker could easily find out with minimal internet research what their home bathroom looks like (ie through real estate websites) and which schools their children attend (public records of municipal zoning),” the security researcher said in a blog.
Who has been impacted?
The companies using AavGo software were impacted, which includes,
- Baymont Inn & Suites
- The Row Hotel
- Stay Cal Hotels
- Zenique Hotels
- Holiday Inn Express
- Days Inn
- BestWestern Hotels & Resorts
- Lia Hotel
- Mylo Hotel
- Hotel Zico
- Santa Fe Sage Inn & Suites
- Alura Inn
- Menlo Park Inn
- Stone Villa Inn
- Alpine Inn & Suites
- Crowne Plaza
- Equinox Solutions, Ltd.
What was the response?
The security researcher shared his findings with TechCrunch, who contacted the hospitality technology company and notified them about the database. The database was then secured on July 16, 2019.
“We had no data breach; however, we did find a vulnerability. We already started informing our customers about this vulnerability.” Mrunal Desai, Chief Executive at AavGo said TechCrunch.
Update, July 17: The article has been updated to omit the reference to and clarify that the Guestline Property Management and its clients were not impacted by the security incident.
"Our involvement with AavGo was limited to a trial in just two hotels who were using the AavGo housekeeping app to schedule room cleaning and maintenance, and required an interface to their PMS. In these trials the hotels were not using AavGo for Customer Engagement therefore this has also been inaccurately reported. None of our customers referenced in the article use the Aavgo app. We have closed the interface with the AavGo housekeeping app with immediate effect," read the statement from Guestline.