Hotels Chain Leaks Credit Cards Data
Luxury Hotel leaks thousands of customers credit cards online.
Thinking about taking a trip to a far away exotic location? You might just have your payment data stored unsecurely and available for anyone with internet access. As payment processors continue to enhance their security measures and encryption methods the real problem is businesses that collect data and then store it in an unsecure way.
[This post has been updated to include statements on behalf of Silverland Hotels & Spas IT team - in italic]
The MacKeeper Security Research Center has discovered an open database belonging to the Silverland Hotel in Ho Chi Minh City, Viet Nam with thousands of unencrypted credit cards.
The cardholder accounts include the payment information of Australian, US, UK citizens and a range of international guests who have stayed at the hotel.
Imagine you have saved and planned for your perfect holiday trip to Vietnams capital, you booked your luxury hotel and of course you wouldn't expect your card details and personal info available online. Along with the payment information, database contained also login details, IP and special requests of the guests. The total number of entries reached 6377 items (i.e. credit cards details).
This open database was publically available and required no password to access. The exposed database and the website were hosted on the same IP address.
The first notification was sent to the hotel email address immediately after we have identified the exposure during our weekly security scan on August 12th.
[The first email eventually discovered by Silverland, after being contacted by a customer late in the evening of August 29, in the hotels junk mail folder was dated August 17 and contained the August 12 email, which email did not include any address where it was purportedly sent].
[On August 30, 2016, MacKeeper engaged in a live chat with Silverland discussing the data leak. That very same day, August 30, Silverlands IT team contacted Hostgator about the problem and port 27017 was immediately closed with password protection. On September 6, 2016, Silverland completed the vulnerability assessment verifying that Silverlands web server was secure. Silverlands customers that may have been effected were notified of the data leak by email on September 7, 2016]
The Security Research Center sent multiple emails, used the live chat feature on the website and spoke with the assistant of the hotel owner using the private phone number found on the domain registry. Customers exposed as they continued to add additional credit card numbers to the database.
It is unclear if the data was accessed by anyone else.
The Silverland Hotels & Spas IT team has secured the port in question with password protection, the web server has been secured, the customers that may have been effected have been notified, and Silverland Hotels & Spas is working with the banking institutions to ensure that any potential problems are covered. Additionally, Silverland Hotels & Spas has retained U.S. (Colorado) attorney Ira J. Bornstein to assist them in handling this matter.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org