AutoClerk has suffered from a data leak. In all, 179GB of information has been exposed including government and military personnel.
There’s been another major data leak to report. AutoClerk, now owned by Best Western, has suffered from a data leak. In all, 179GB of data has been exposed. The affected people in the breach include people working for the US government, military, and the Department of Homeland Security (DHS). The leak was discovered by VPNMentor. From the report:
A few weeks prior to our team discovering the leak, Autoclerk was bought by Best Western Hotel & Resorts Group, potentially exposing one of the biggest hotel chains in the world.
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.
The most surprising victim of this leak wasn’t an individual or company: it was the US government, military, and Department of Homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future.
This represented a massive breach of security for the government agencies and departments impacted.
Probably what is troubling about this story is the fact that VPNMentor actually contacted authorities to report the leak. They wound up getting no response initially. They attempted to contact the United States Computer Emergency Readiness Team (CERT) on September 13, the day the database exposure was discovered. Unfortunately, they got no response. On September 19, they contacted the US Embassy in Tel Aviv about the lack of a response from CERT. On September 26, a representative from the Pentagon contacted VPNMentor to notify them that the issue is being dealt with. It wasn’t until October 2nd that the leaking database was finally closed.
So, in all, it took 19 days from the initial report to get the database closed down. While a this clearly represents a fair bit of time, the fact that the initial point of contact didn’t yield a response is, at best, problematic. As we’ve pointed out in the past, it’s one thing to have a leaking database. After all, mistakes do happen. We are all human. It’s quite another to ignore credible warnings that the leak is happening. That is when an argument can be made that heads should roll over the issue.
One thing is for sure, this is not a small incident by any means.
Drew Wilson on Twitter: @icecube85 and Facebook.