Researchers at vpnMentor have released a post detailing a data leak that is unexpectedly affecting the United States military. What makes this a surprising discovery is that the leak originates in the database for cloud-based hotel property management system AutoClerk. AutoClerk is owned by Best Western Hotels and Resorts Groups and oversees the travel data (like check-in times, travel reservations, and room numbers) for numerous global entities. The breach itself is the result of a misconfigured database and other issues with their roots in human error.
While thousands of civilians are affected by the personal data exposed, the U.S. military is perhaps the most important victim in this breach. As vpnMentor states regarding the AutoClerk breach discovery:
The most surprising victim of this leak wasn’t an individual or company: it was the US government, military, and Department of Homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future… the leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data…This represents a major flaw in the data security apparatus around such sensitive information. Any company concerned with the travel logistics of high-level military personnel should be adhering to the strictest data protection practices.”
The possibilities of social engineering attacks specifically directed at American targets have increased because of this AutoClerk leak. Phishing attacks are the most obvious possibility, and the U.S. military is going to have to work overtime to ensure that nobody is tricked into giving away more information. There has been no official statement from the Department of Defense on this incident, but they undoubtedly know about the situation due to the research produced by vpnMentor.
There is likely going to be significant blowback from this incident, and any pertinent information will be subsequently reported on.
Featured image: Pexels
