Editor’s Note:  For clarification, Aavgo owns the database and its clients are not responsible for the data leak. Guestline, one of Aavgo’s clients, appeared in the breach. A spokesperson for Guestline says that they were only in trial with Aavgo’s housekeeping app for two properties. 

What’s Going On?

Our white hat hacktivist, Daniel Brown, found an at-risk database server that appears to belong to AavGo, a hospitality technology company. An example of a SQL query logged by the system From what we found, there are:

Whose Data is Available?

Over 8 million entries are available in this data leak, with a combination of company, client, and guest details included. As AavGo is a cloud-based guest engagement and operations management software as a service (SaaS), whose clients’ information composes the majority of the database on the exposed server. The companies using AavGo include (but may not be limited to): Guestline is a property management system (PMS), which seems to use AavGo as the underlying platform for customer engagement and staff management. They offer a central reservation system to coordinate rates, bookings, and inventory, provide payment solutions, a gift voucher, and other PMS related solutions. Their clients include Days Inn, the Peach Pubs group, Legacy Hotels and Resorts, SACO – The Serviced Apartment Company, and Best Western Hotels & Resorts, among others. Most of the properties using the Guestline PMS appear to be in the greater U.K. area.

Equinox Solutions customer complaint form Equinox Solutions is a logistics application, which allows hospitality industry businesses to coordinate equipment planning and purchasing. Their clients include The Ritz Carlton, Hyatt, Marriott, the Oberoi Group, Hilton, et al. The bulk of the properties using Equinox Solutions appear to be in India.

Guest and booking details Hotel guest data is also made available, and provides enough details that a hacker could easily find out with minimal internet research what their home bathroom looks like (ie through real estate websites) and which schools their children attend (public records of municipal zoning). Along with the email, full address with zip code, phone number, etc., it’s also very uncomplicated to break into email inboxes, social media, and financial accounts by simply resetting the password with the answers to common security questions. As this includes guests who are currently at the hotel, this is also prime information for potential burglars, combined with their home address, who would know the duration of their stay and how far away from home they actually are and use the window of opportunity to clear out the house.

With the information made available by this leak, marketing groups and competitors alike could easily benefit, especially by knowing:

How did it happen & how can it be prevented?

The reason this happened is that there’s an ElasticSearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the ElasticSearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information. Servers with ElasticSearch installed on them aren’t meant to be open to the internet – this engine was developed for use in closed internal networks. That’s why it doesn’t even have password authentication activated by default. In order to prevent this kind of issue, administrators should set up password authentication when installing ElasticSearch and be 100% sure that the server that it’s installed on isn’t exposed to the internet (or to any external network). To find out the best ways to keep your password safe, check this out.

Who is Wizcase? Why should I trust you?

Wizcase is the international favorite source for security news and real VPN reviews and tutorials. Our security research team features expert white hat hackers who find some of the biggest data leaks – and report them to the companies and the public for a better, more secure digital life for all.