8M lines of hotel-related code exposed in latest Elasticsearch database configuration failure
Another day, another misconfigured cloud instance exposing data, and the latest comes from AavGo, a cloud-based software provider for the hotel industry.
The latest case involves a misconfigured Elasticsearch database revealed today by security researcher Daniel Brown. The database in question, now offline, included hotel guest information, including booking and personally identifiable information, internal hotel memos, admin login details, invoices and work orders.
About 8 million lines of hotel-related code were found in the exposed database, though the names of AavGo clients were not disclosed. AavGo clients, according to its website, include Best Western International Inc., Crowne Plaza and Days Inn.
“The reason this happened is that there’s an Elasticsearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the Elasticsearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information,” Brown wrote.
Chris DeRamus, chief technology officer and co-founder of cybersecurity firm DivvyCloud Corp., told SiliconANGLE that developers and engineers can often move too quickly when using cloud services such as Aavgo and bypass critical security and compliance policies.
“Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day,” DeRamus said. “The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real-time.”
AavGo is not the first company to expose data via a misconfigured Elasticsearch database. Some 24 million financial and banking documents were found exposed on a misconfigured Elasticsearch database belonging to data analytics company Ascension in January, and 57 million records believed to belong to Data & Leads Inc. were found exposed online in the same fashion in November.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.