3rd Party Risk Management , Application Security , Breach Notification
Choice Hotels: 700,000 Guest Records Exposed
Vendor Copied Data Without Authorization, Left MongoDB Open to InternetChoice Hotels says about 700,000 guest records were exposed after one of its vendors copied data from its systems. Fraudsters discovered the unsecured database and tried to hold the hotel chain to ransom, which it ignored.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Choice Hotels is one of the largest lodging franchisers, with 7,000 locations in 40 countries, including brands such as EconoLodge, Comfort Inn and Quality Inn. Security researcher Bob Diachenko discovered the leak, according to the U.K.-based website Comparitech.
The hotel company tells ISMG the ransom attempt was “not successful.”
The data was copied by the vendor, which was not identified, to its systems “without authorization,” it says. Ironically, Choice Hotels says the data “was being hosted on their server to test a security offering.” None of Choice Hotels' servers were impacted.
Most of the data that was copied by the vendor was test data, the company says, but about 700,000 records contained real guest information, including names, addresses, phone numbers and email addresses.
“The records did not contain payment, password or reservation information,” a spokeswoman says. “We will be notifying affected guests to advise them of what occurred.”
MongoDB: No Authentication
Diachenko found a 3.8GB MongoDB database containing 5.7 million records, which was traced to Choice Hotels. The database was left online and didn’t require authentication. MongoDB is a popular NoSQL open-source database.
The database was apparently discovered by others, because Diachenko found a ransom note. According to a screenshot posted by Comparitech, the note says the database had been downloaded and asked for .4 of a bitcoin – around $4,300 – to recover the data.
"The records did not contain payment, password or reservation information. We will be notifying affected guests to advise them of what occurred."
—Choice Hotels
Organizations that leave critical databases exposed often don’t have much time to fix the error, as cybercriminals scan the internet for applications that may vulnerable.
Indeed, Comparitech reports that the Choice Hotels situation was uncovered using the BinaryEdge search engine, which scans IP ranges to lightly probe for what applications or services may be exposed. Another similar search engine is Shodan.
Diachenko notified Choice Hotels on July 2, although his initial email was filtered out. The database ended up being secured that day, although Diachenko didn’t send a second notification until July 28, Comparitech reports.
Getting MongoDB Secure
The importance of maintaining proper security configurations for MongoDB increased two years ago, when researchers suddenly noticed tens of thousands of MongoDB systems being compromised in one day.
On a single day in January 2017, nearly 28,000 MongoDB instances were compromised. The attacks often involved deleting the data and leaving a ransom note in place, usually asking for some amount of bitcoins (see: MongoDB Ransomware Compromises Double in a Day).
The attackers were capitalizing on MongoDB instances that either required no authentication, didn’t have up-to-date patches or were otherwise misconfigured.
In response to the attacks, MongoDB advised that the compromises were largely preventable if administrators took advantage of the security protections and followed best practices.
MongoDB has security features that allow admins to test if a database is exposed to the internet, as well as a backup feature to ensure data is not lost forever. There’s also a good security checklist worthy of a scan.
During the 2017 attacks, Victor Gevers, who is chair of the GDI Foundation, created a spreadsheet called MongoDB ransacking that chronicles some observed attacks.
The spreadsheet shows the ransom price, the email of the attacker, when the email was sighted, attacker IPs, estimated number of victims and the number of transactions associated with the bitcoin address.
Most attacks occurred in 2017 and then tailed off. But there are three entries for this year, two of which were found by Gevers.