Hospitality giant Choice Hotels fell victim to hackers this week, thanks to a MongoDB database that was left open to the internet containing 700,000 customer records. The situation highlights supply-chain data-security risk, given that the data was being held by a third-party vendor — and brings up the fact that shared responsibility should be top-of-mind.
The attackers left a note in the database file claiming that they downloaded the database to their own servers; they also demanded 0.4 Bitcoin, or around $3,800, as a ransom. However, they didn’t lock up the data, making the ransom demand moot.
Bob Diachenko, who discovered the database along with researchers at Comparitech, said that he thinks the note was left by an automated script targeting publicly accessible MongoDB databases. He added that the script was probably written to wipe or crypto-lock the databases when found, but it failed.
Diachenko immediately notified the company of the exposed database, which was hosted on the vendor’s server. It held 5.6 million records – but only about 700,000 of the records contained guest info (consisting of names, email addresses and phone numbers). Other fields containing passwords, reservation details and payment information only contained test data, according to Choice Hotels.
“We have discussed this matter with the vendor and will not be working with them in the future,” the chain told Comparitech. “We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr. Diachenko’s assistance in helping us identify any gaps.”
In total, the passwordless database was left exposed for four days. For customers, they will remain at risk of phishing or worse, according to Justin Fox, director of DevOps engineering for NuData Security.
“The stolen data will be tied to other pilfered data to build full personas used for identity theft or fraudulent account creation,” he said in an emailed comment.
While the incident is notable in that it highlights the ongoing problem of unsecured cloud storage buckets, and because it affected a large company (it franchises 7,000 properties in 41 countries, under brands like Comfort Inn, MainStay Suites, Econo Lodge and Clarion) — it’s also a good illustration of the growing amount of supply-chain risk that companies face, according to researchers.
“Who carries the brunt of such breaches – the third party that was hacked or the company that relied on the third party?” said Elad Shapira, vice president of research at Panorays, via email. “Past attacks have shown that while the third party suffers from associated breach costs, the company that uses the third party is greatly impacted as well, from brand damage to actual loss of revenue.”
And indeed, when it comes to private information, the company could be in breach of privacy regulations and may suffer from customer loss of confidence. The stakes are too high for there not to be a conversation with those one entrusts data to about where the responsibility lies, Shapira added.
“With the breach at Choice Hotels, it’s the hotel guests who made these reservations and they place the responsibility on the hotels,” Shapira added. “Companies need to be aware that outsourcing a business unit to a third party does not relieve them also from the security burden. They need to ensure that their partner has the right level of security before engaging with them, and if already engaged with them, to demand a minimum security standard.”
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.