BREACH: Hospitality Management Platform Leaks Sensitive Client & Guest DataLast Updated by Chase Williams on November 26, 2020
Wizcase recently uncovered a significant data breach in the hospitality industry. Guest communication platform AavGo has an exposed server – closed as of July 16, 2019 – containing at least two clients’ (Equinox and Guestline) databases brimming with usernames, passwords, and personal details.
Editor’s Note: For clarification, Aavgo owns the database and its clients are not responsible for the data leak. Guestline, one of Aavgo’s clients, appeared in the breach. A spokesperson for Guestline says that they were only in trial with Aavgo’s housekeeping app for two properties.
What’s Going On?
Our white hat hacktivist, Daniel Brown, found an at-risk database server that appears to belong to AavGo, a hospitality technology company.
An example of a SQL query logged by the system
From what we found, there are:
- Memos from and messages between the staff
- Booking information
- Personal information about guests
- Full personally identifying information (PII)
- Lifestyle details (ie number of children and pets)
- Payment type
- Complaints from guests and customers
- Room service orders
- Hotel admin login details
- Username and password included – allows access to the admin panel and reservation system
- Internal database user and password
- Guest system login information
- Work orders
- Images of hotel rooms taken by cleaning personnel
- Images of broken equipment
Whose Data is Available?
Over 8 million entries are available in this data leak, with a combination of company, client, and guest details included. As AavGo is a cloud-based guest engagement and operations management software as a service (SaaS), whose clients’ information composes the majority of the database on the exposed server.
The companies using AavGo include (but may not be limited to):
- Baymont Inn & Suites
- The Row Hotel
- Stay Cal Hotels
- Zenique Hotels
- Holiday Inn Express
- Days Inn
- BestWestern Hotels & Resorts,
- Lia Hotel
- Mylo Hotel
- Hotel Zico
- Santa Fe Sage Inn & Suites
- Alura Inn
- Menlo Park Inn
- Stone Villa Inn
- Alpine Inn & Suites
- Crowne Plaza
- Guestline Property Management System
- Equinox Solutions, Ltd.
Guestline is a property management system (PMS), which seems to use AavGo as the underlying platform for customer engagement and staff management. They offer a central reservation system to coordinate rates, bookings, and inventory, provide payment solutions, a gift voucher, and other PMS related solutions.
Their clients include Days Inn, the Peach Pubs group, Legacy Hotels and Resorts, SACO – The Serviced Apartment Company, and Best Western Hotels & Resorts, among others. Most of the properties using the Guestline PMS appear to be in the greater U.K. area.
Equinox Solutions customer complaint form
Equinox Solutions is a logistics application, which allows hospitality industry businesses to coordinate equipment planning and purchasing. Their clients include The Ritz Carlton, Hyatt, Marriott, the Oberoi Group, Hilton, et al. The bulk of the properties using Equinox Solutions appear to be in India.
Guest and booking details
Hotel guest data is also made available, and provides enough details that a hacker could easily find out with minimal internet research what their home bathroom looks like (ie through real estate websites) and which schools their children attend (public records of municipal zoning).
Along with the email, full address with zip code, phone number, etc., it’s also very uncomplicated to break into email inboxes, social media, and financial accounts by simply resetting the password with the answers to common security questions. As this includes guests who are currently at the hotel, this is also prime information for potential burglars, combined with their home address, who would know the duration of their stay and how far away from home they actually are and use the window of opportunity to clear out the house.
Amazon Prime order from guest
With the information made available by this leak, marketing groups and competitors alike could easily benefit, especially by knowing:
- Room rates
- Revenue per room
- Days of stay
- Origins of guests
- Booking source
- Emails and phone numbers of guests, and …
- Whether or not the guest opted into loyalty programs or email marketing lists
How did it happen & how can it be prevented?
The reason this happened is that there’s an ElasticSearch engine that’s installed on this server with no authentication mechanism activated and the server itself is accessible from the internet, making the ElasticSearch data open for anyone to look at – and this server has logs from production systems so it has a lot of sensitive information.
Servers with ElasticSearch installed on them aren’t meant to be open to the internet – this engine was developed for use in closed internal networks. That’s why it doesn’t even have password authentication activated by default.
In order to prevent this kind of issue, administrators should set up password authentication when installing ElasticSearch and be 100% sure that the server that it’s installed on isn’t exposed to the internet (or to any external network). To find out the best ways to keep your password safe, check this out.
Who is Wizcase? Why should I trust you?
Wizcase is the international favorite source for security news and real VPN reviews and tutorials. Our security research team features expert white hat hackers who find some of the biggest data leaks – and report them to the companies and the public for a better, more secure digital life for all.