Stay informed about the acquisition of Public Interest Registry

by Ethos Capital

Home / Industry

How Threat Intelligence Software Can Help Prevent Breaches Caused by Server Misconfigurations

Early this month, the Gekko Group, an AccorHotels subsidiary erroneously uploaded more than 1TB of confidential information on a publicly accessible cloud-based server. This error led to the exposure of tons of data owned by its partner hotels' clients, travel agencies, and customers.

Most of the information leaked from the France-based hotel booking platform came from Teldar Travel, the company's booking system for travel agents and Infinite Hotel, which is responsible for the hotel inventory that serves its business-to-business (B2B) clients. The data also included confidential information regarding external websites that the company regularly communicates with, such as hotelbeds.com, booking.com, and selectour.com.

In their blog, the vpnMentor researchers who found the leaked database gave the following details:

  • On 7 November, the researchers stumbled upon the Elasticsearch database while conducting an Internet mapping project. They sought to find its owner and immediately informed it of their discovery. They even reached out to the organization's General Data Protection Regulation (GDPR) officer and its parent company, AccorHotels. When they didn't receive replies, they contacted the group's hosting company and, eventually, the Commission Nationale de l'Informatique et des Libert├ęs (CNIL), France's independent regulatory body for data security and privacy.
  • By 13 November, AccorHotels responded to the researchers' email, inquiring about the leak then proceeded to address the issue. It also thanked the researchers for informing them about the breach.

Note that the Gekko Group spokesperson clarified that the companies affected by the leak were Teldar and HCorpo and not Teldar and Infinite Hotel.

The majority of the exposed data included travel and accommodation booking details, personally identifiable information (PII), login credentials in plain text, and credit card details indicated in invoices. These gave out customers' names; email and physical addresses; travel dates; hotel reservation details, including room classifications; the number of guests; and accommodation prices paid.

In some cases, the information also contained details on tour prices, theme park destinations, airport transfers, and train travel tickets. The invoices also included the credit card details of the travel agencies and their clients.

While the Gekko Group spokesperson claimed that there is no indication that the leaked data had ties to malicious activities, the incident can have dire implications for the company, its partners, and its clients. A data leak of this magnitude can give threat actors several chances to use the information to their advantage.

Our Investigation Tool: Threat Intelligence Platform

According to the researchers' analysis, the data leak occurred because the company uploaded sensitive information to a cloud-based storage system that was publicly configured — likely a human error.

Misconfigurations like this one and others can leave a server open to remote access and control by anyone who stumbles upon it, calling for proactive measures when it comes to protecting data privacy.

Among other aspects, this defensive stance includes the use of threat intelligence software that can provide exhaustive information about open ports and services, which might be the product of human error as well. It can also check for misconfigurations in real-time, thus adding one more layer of protection for confidential information.

A quick check for the domain "teldartravel.com," one of the previously-identified sites, revealed several configuration warnings in our report for the site (note that the results aren't establishing a connection to the breach, this is an independent analysis for demonstration purposes):

The company should use the information to make sure that the redirects are legitimate; that they were not set by attackers hoping to point its customers and partners to malicious websites.

The company can also further strengthen its network's security by enabling the Domain-Based Message Authentication, Reporting, and Conformance (DMARC) email validation system should SPF fail to detect spoofed emails.

* * *

While cloud computing allows organizations to access stored data from virtually anywhere in the world quickly, they must realize that convenience sometimes comes with consequences. Small errors like a misconfiguration can have a massive impact, such as making private databases publicly accessible as in the Gekko Group's case. That said, companies must ensure their systems' and servers' settings are always up to par. They can use threat intelligence software to perform regular checks on their network to avoid nasty repercussions.

WhoisXML API

About WhoisXML API – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

Follow CircleID on
Related topics: Cybercrime, Cybersecurity, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias