A security researcher from Wizcase, Daniel Brown uncovered an Elasticsearch database server that was left publicly available without any password protection. The database belongs to a hotel management provider AavGo.
What was exposed?
The leaky database contained 8 million entries of company data, client information, and guest details. The exposed data includes,
“Hotel guest data is also made available, and provides enough details that a hacker could easily find out with minimal internet research what their home bathroom looks like (ie through real estate websites) and which schools their children attend (public records of municipal zoning),” the security researcher said in a blog.
Who has been impacted?
The companies using AavGo software were impacted, which includes,
What was the response?
The security researcher shared his findings with TechCrunch, who contacted the hospitality technology company and notified them about the database. The database was then secured on July 16, 2019.
“We had no data breach; however, we did find a vulnerability. We already started informing our customers about this vulnerability.” Mrunal Desai, Chief Executive at AavGo said TechCrunch.
Update, July 17: The article has been updated to omit the reference to and clarify that the Guestline Property Management and its clients were not impacted by the security incident.
"Our involvement with AavGo was limited to a trial in just two hotels who were using the AavGo housekeeping app to schedule room cleaning and maintenance, and required an interface to their PMS. In these trials the hotels were not using AavGo for Customer Engagement therefore this has also been inaccurately reported. None of our customers referenced in the article use the Aavgo app. We have closed the interface with the AavGo housekeeping app with immediate effect," read the statement from Guestline.