Security researchers Noam Rotem and Ran Locar from VpnMentor have uncovered an unprotected Elasticsearch database belonging to Pyramid Hotel Group.
The unsecured database has exposed almost 85GB in security logs of major hotels including Marriott locations, Sheraton hotels, and Hilton Hotel properties.
Which hotel chains are impacted?
The security incident has impacted multiple hotels in the US, Hawaii, the Caribbean, Ireland, and the UK managed by the Pyramid Hotel Group which include Marriott locations, Sheraton hotels, Plaza resorts, Hilton Hotel properties, as well as a number of independent hotels.
The impacted properties include Aloft Sarasota of Marriott property, Tarrytown House Estate in New York, Carton House Luxury Hotel in Ireland, Aloft Hotels in Florida, and Temple Bar Hotel in Ireland.
Pyramid has publicly listed 90 properties, however, the leaky database contains data relating to 96 locations.
What data was involved?
“In the worst case scenario, this leak has the potential to put not only systems at risk, but the physical security hotel guests and other patrons as well,” researchers said.
The leaky server secured
The researchers including co-founder of vpnMentor Ariel Hochstadt, uncovered the leaky server on May 27, 2019, while using port scanners to map areas of the Internet. The information exposed by the unguarded database is dated back to April 19, 2019.
Upon discovery, the researchers notified Pyramid about the exposed server on May 28, 2019. The company secured the leaky database on May 29, 2019.
“This database gives any would-be attacker the ability to monitor the hotels’ network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain,” researchers said in a blog.