Security researchers have uncovered an exposed database that belongs to the hotel management provider AavGo. The database was found through an Elasticsearch and the server did not require a login or password to view and potentially download the information, allowing anyone to do so. This database includes booking information, guest details, guest complaints, invoices, staff communication, hotel room images, and broken equipment information. The exposed database also includes hotel admin login details, admin username and password, reservation system and internal database. Personal information of over eight million guests are contained in the database, personal information included names, birth dates, email addresses, home addresses, marital status, children information and credit card issuer. Companies that use the AavGo software include Baymont Inn & Suites, The Row Hotel, Holiday Inn Express, Days Inn, Best Western Hotels and Resorts, Clients of Equinox solutions LTD and many others. The affected clients of the Equinox Solutions LTD company are The Ritz Carlton, Hyatt, Marriot, Oberoi, and the Hilton company. Researchers reached out to AavGo to disclose the security flaw and AavGo secured the database on July 16, 2019. In a statement from Mrunal Desi, the chief executive at AavGo, he stated that there was not a breach of the contained data, rather a vulnerability which they have fixed.
Even though there was no data breach, it does not mean that the information was not accessed by an unknown party during the three weeks it was left unsecure. If someone did access the information, they could be sitting on it, waiting to use it until the news about this exposure subsides. Customers of those brands are being contacted about the leaky database and affected users should practice caution when dealing with unknown emails or messages since this type of information is often used for phishing attacks.