HU talks with Bob Diachenko, the cybersecurity expert who discovered the breach, about steps hotels can take to prevent data incidents 

By Fran Worrall, Hospitality Upgrade

Another data breach has hit the hospitality industry, this time affecting approximately 700,000 records belonging to lodging industry giant Choice Hotels International. The Maryland-based company franchises and handles bookings for more than 7,000 properties around the globe, including such brands as Ascend Hotel Collection, Cambria Hotels, Clarion, Comfort, Econo Lodge, MainStay Suites, Roadway Inn, Sleep Inn and Woodspring Suites.

According to a statement released by the company, the incident involved data that was being hosted on a vendor’s server to test, ironically, a security offering.  Although the records didn’t contain payment, password or reservation information, they did include guest names, addresses, phone numbers and email addresses. Apparently, the vendor copied the data without authorization from Choice Hotels.

This isn’t the first time the company has suffered a data incident. In April 2012, sensitive guest information, including credit card, passport and driver’s license numbers, was improperly added to its database fields. That event, although serious, affected customers in only two states — California and New Hampshire — reflecting a small percentage of the hotel company’s total guest records.

Records Exposed for Days

The recent incident was uncovered on July 2 by cybersecurity expert Bob Diachenko, a partner in SecurityDiscovery.com, a Ukraine-based security consultancy. He alerted Choice Hotels the same day with assistance from technology research firm Comparitech. The hotel company secured the database on July 2 and began an investigation on July 28.

Diachenko, who has identified hundreds of data breaches over the years in organizations of every type and size — from non-profits to government agencies to Fortune 500 companies — was not employed by Choice Hotels at the time of the incident. His goal, he claims, is to help companies prevent exposures and breaches. “I try to make businesses aware of the importance of constantly tracking data and being vigilant. I’m on a mission to make sure they secure their databases before something bad happens.”

The records in the Choice Hotels breach were located on a MongoDB database, an open source scalable database management system frequently used in big data applications. The database, which was unsecured and available to the public, left the records exposed for several days.

According to Diachenko, breaches often involve third parties and are usually the result of human error. “Almost every case involves a vendor or some other third party who is either negligent or unqualified,” he says. “They make a mistake configuring the database, and the information is just sitting there unsecured with no password required to view it. It’s typically a mistake on the human side.”

He has discovered numerous instances of unprotected data on MongoDB, in particular, including an incident in May that involved more than 275 million records of Indian citizens containing detailed personally identifiable information. “The lack of authentication allows installation of malware or ransomware on the MongoDB servers,” he says. And worse, the public configuration opens the possibility that cybercriminals can manage the entire system with full administrative privileges. “Once the malware is in place, criminals can remotely access the server resources and even launch a code execution to steal or destroy any saved data the server contains.”

Steps to Prevent a Breach

Although no sensitive information, such as credit card or Social Security numbers, was involved in the Choice Hotels breach, customers might still be affected, says Justin Fox, director of DevOps engineering at NuData Security, a behavioral biometrics company that helps businesses identify users based on their online interactions.  “Guests will be at risk for phishing or worse. The stolen data could be tied to other pilfered information to build full personas used for identity theft or fraudulent account creation.”

Diachenko agrees. “The stolen data can easily be used in a phishing campaign, where someone pretending to be a representative of the hotel company will try to get more information from guests, either through email or text messages.” Guests could also see increased spam in their in-boxes, he warns.

Following are tips from Diachenko and Fox for preventing data breaches:

  • Be vigilant. Look for a lack of passwords, misconfigured firewalls and other simple human mistakes. “Often, no sophisticated techniques are required,” Diachenko says. “The errors are right in front of you.”
  • Educate staff. No matter how many security firms an organization hires to protect its databases, staff education is critical. “Everyone should be aware of the basics — checking IP addresses, not reusing passwords and confirming that data is always password protected,” Diachenko says. “These are really simple things. It’s like not crossing the street on a green light.”
  • Layer in advanced security solutions. These include passive biometrics and behavioral analytics, Fox states. “This allows you to verify users before a critical decision, block account takeover, stop automated attacks and reduce customer insult.”
  • Be responsible. Implement regular check-ups, hold internal meetings, and make sure all security procedures are followed within the partner network, Diachenko advises. “The company that owns the data should be responsible, even when it uses a third-party vendor.”
  • Check vendors thoroughly. Never base a decision to hire a partner or vendor based solely on cost, warns Diachenko. “Check out your vendors thoroughly and consider where they are located. Often, foreign-based companies don’t have the same standards as U.S.-based companies.”
  • Focus on storing data points securely. Use cryptographically-secured formats, like a SHA-256 or SHA-512 hash of the information, Fox advises. “If an organization successfully hashes the data point with a salt [a random string of data that makes it more difficult for attackers to break into a system] and encrypts the resulting data, the stolen information becomes significantly less valuable to the attacker.” 

It Only Takes One Mistake

Choice Hotels says it has ended its relationship with the vendor involved in the breach and is notifying affected guests. The company is also evaluating all of its vendor relationships and implementing controls to prevent future incidents, including establishing a Responsible Disclosure Program.

“This incident illustrates the fact that companies are never entirely safe from breaches,” says Fox. “They can happen at any time.”

Diachenko urges hotels to use this latest incident as a learning exercise. “Choice Hotels got lucky; this isn’t a serious breach,” he concluded. “But it’s a reminder that it only takes one mistake. You have to do your due diligence and always follow best practices and procedures. It not only can save the reputation of your company but also the trust of your customers.”