Whoops! Hotel Left Thousand of Customers' Credit Cards Online For All To See
The hotel left full credit card data, trip details, and much more in an unprotected database.
Image: Che Saitta-Zelterman
Almost every day, cybercriminals hack and steal personal information of internet users. Sometimes, they have to break in somewhere to get it. But other times, that sensitive information is accidentally left exposed with no security for all to see—or at least for those who know where to look.
That's what happened with a luxury hotel chain in Vietnam, which left a shocking amount of sensitive personal information of thousands of its customers, including their names, trip details and credit card information, completely unprotected for weeks. The data was left in a database that had no security to prevent anyone from logging in and looking at the information, according to group of researchers who found it on August 12.
"[I was] absolutely surprised and shocked."
The hotel chain Silverland Hotel & Spas, which operates five hotels in Vietnam's popular destination Ho Chi Minh City, formerly known as Saigon, left a database online with no password, according to the researchers, who work for the MacKeeper Security Research Team.
The data on display included customers' IP addresses, booking status, flight information (flight number, arrival and departure time), detailed guest information (name, age, gender, phone, email address), and detailed credit card information (card type, number, name on card, expiration date and CVV), as the researchers detailed in a blog post published on Tuesday, after the hotel finally secured the database.
"[I was] absolutely surprised and shocked," Volodymyr Dyachenko, a member of the MacKeeper Security Research Team, told Motherboard in an online chat. "Sometimes we do encounter [databases] with payment info, but at least they have it hashed or encrypted."
In this case, Dyachenko said there were 6,377 entries in the database, most of them with full credit card details, and all the information was in the clear and unprotected, meaning hackers who found it could've simply copied and pasted the credit card information and used it for their personal purchases, or sold it online in the underground.
Dyachenko explained that the database was hosted on the same IP address as the hotel's website homepage, making it very easy to find just scanning that IP address for open ports.
The database was secured on Tuesday, Dyachenko said, 62 days after it had been left exposed, and 18 days after him and his colleagues reached out for the first time to alert of the issue. The hotel did not immediately respond to a request for comment.
As it's happened in several cases in the past few months, including once by MacKeeper itself, which left the information of 13 million of its customers exposed, the leaky database was created with MongoDB. This is software used for constructing and maintaining databases, and by itself, MongoDB isn't insecure, but customers often forget to set it up securely. And therein lies the problem.
"Each month we report and fix two-three databases, but the total amount of the leaking ones is not decreasing," Dyachenko told me. "People just don't want to listen and learn simple security rules."
In this case, there's no evidence that anyone else found the data and misused it. But if the researchers could find it, anyone else could have too.