'FairBridge Inn & Suites' has left an unprotected database online for anyone with a browser to access. It contained approximately 8.1 million NGINX log records. Most of these entries have little to no value for malicious actors, but, unfortunately, 1.85% of them (150,000) are customer profiles. It means that the Washington-based hotel giant, which operates 37 locations across 24 states, has compromised its visitors' privacy. Leaks like this one are particularly sensitive due to the nature of the services offered. People may have reasons to hide their stay in a hotel, so having this info leaked puts them at high risk of being extorted by malicious individuals.
The discovery of the leaky database was made by researcher Jeremiah Fowler, on December 11, 2019. After the researcher located the information that linked the database to its owner, he contacted the company to apprise of the problem. A representative of 'FairBridge Inn & Suites' confirmed the ownership and secured the database immediately. However, he had not provided any details about when the misconfiguration happened. It is not known how long the database remained accessible, and whether or not anyone other than Fowler managed to look inside. Also, there has been no official statement about sending any notifications to the affected customers. Everyone knows this is always a bad strategy to follow in such cases. Let's hope that they are just investigating the incident and that they will send out notices of warning to the exposed clients soon.
In detail, the database contained the following things:
The problem with online bookings for hotels is that customers can’t go incognito and use anonymous emails and payment methods. Moreover, when they appear on the premises, they are typically required to show their real ID.
All that said, hotel companies should be a lot more careful with how they handle customer data. Last month, a Japanese sex hotel search engine exposed customer data, and, in August 2019, Choice Hotels lost 700k of sensitive records to hackers. And, of course, no one can forget the massive 500-million-customers data leak that happened after hackers breached the Marriot Starwood Guest Reservation database in December 2018.