UPDATED 23:17 EST / JULY 16 2019

SECURITY

8M lines of hotel-related code exposed in latest Elasticsearch database configuration failure

Another day, another misconfigured cloud instance exposing data, and the latest comes from AavGo, a cloud-based software provider for the hotel industry.

The latest case involves a misconfigured Elasticsearch database revealed today by security researcher Daniel Brown. The database in question, now offline, included hotel guest information, including booking and personally identifiable information, internal hotel memos, admin login details, invoices and work orders.

About 8 million lines of hotel-related code were found in the exposed database, though the names of AavGo clients were not disclosed. AavGo clients, according to its website, include Best Western International Inc., Crowne Plaza and Days Inn.

“The reason this happened is that there’s an Elasticsearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the Elasticsearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information,” Brown wrote.

Chris DeRamus, chief technology officer and co-founder of cybersecurity firm DivvyCloud Corp., told SiliconANGLE that developers and engineers can often move too quickly when using cloud services such as Aavgo and bypass critical security and compliance policies.

“Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day,” DeRamus said. “The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real-time.”

AavGo is not the first company to expose data via a misconfigured Elasticsearch database. Some 24 million financial and banking documents were found exposed on a misconfigured Elasticsearch database belonging to data analytics company Ascension in January, and 57 million records believed to belong to Data & Leads Inc. were found exposed online in the same fashion in November.

Photo: jeepersmedia/flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU