Leading US hotel group Choice Hotels suffered a major breach of customer records after unnamed hackers gained access to an unsecured MongoDB database that was being used by a third-party vendor to store and process personal information of its guests.
The unsecured MongoDB database was discovered by security researcher Bob Diachenko on 2nd July who promptly informed Choice hotels about the exposure but it appears that by then, a group of malicious hackers had already gained access to the server.
Hackers demanded ransom from Choice Hotels following data heist
The hacker group has apparently demanded 0.4 Bitcoin (£3327.24) in ransom from Choice Hotels in exchange for returning up to 700,000 personal data records stolen from the unsecured database. Even though the database stored up to 5.6 million records, Choice Hotels told Comparitech that only 700,000 of those records belonged to actual people while the rest was test data.
The hotel group added that the unsecured MongoDB database was being used by a third party vendor “as part of a proposal to provide a tool” and that the hotel’s own servers were completely secure. Personal data stored in the compromosed server included guest names, addresses, email addresses, and/or phone numbers.
“We have discussed this matter with the vendor and will not be working with them in the future. We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature,” it said.
The unsecured MongoDB database was first indexed by the BinaryEdge search engine on 28th June, was discovered by Bob Diachenko on 2nd July, and was secured by the hotel group on the same day. Even though the database was accessible for only four days, it was enough for malicious actors to steal valuable personal information from it.
Organisations must adopt machine learning to remediate threats
“This breach is a great example of the significant – and often underestimated – security risk that third-party vendors present,” said Saryu Nayyar, CEO of Gurucul. “The actions of any person or entity who can access your most critical systems and applications should be monitored.
“That can be done with modern machine learning algorithms that compare current behaviour of all users, including third parties, to baselined “normal” behaviour. By doing so, organisations can identify anomalous trends and spot outliers to remediate threats,” she added.
According to Justin Fox, Director of DevOps Engineering at NuData Security, organisations must focus on storing data points securely – by making use of cryptographically secured formats like a SHA256 or SHA512 hash of the information. If an organisation successfully hashes the data point with salt and encrypts the resulting data, the stolen data becomes significantly less valuable to the attacker.