Storage rack in data centre showing third party data breach of 90 hotels’ security logs
Third Party Data Breach to Blame for Data Leaks of Major Hotel Chains by Scott Ikeda

Third Party Data Breach to Blame for Data Leaks of Major Hotel Chains

When stories about major data leaks break, they’re usually headlined with the amount of personal data records that were exposed. This story is a little different. A lodgings management group that works with some of the world’s premier upscale hotel chains experienced a leak, but no customer data was stolen. Instead, the third party data breach exposed 85.4 GB of security logs.

What’s so exciting about security logs? They effectively serve as master keys to each property’s security system, from its cyber defenses to physical on-site devices that are controlled by computers. If an attacker takes possession of them, they have access to all of the information that a security expert working for the hotel has.

Which hotels were breached?

Pyramid Hotel Group was breached. This is an independent management company that handles individual properties for various brands. The group manages about 90 hotel and resort locations around the world. Their properties include 19 Marriott International hotels and several Sheraton and Hilton locations. They also manage several Plaza and St. Regis resorts and a large portfolio of more upscale independent hotels in popular vacation destinations like New York, Florida and the Caribbean.

It does not appear that chain locations outside of Pyramid’s management were impacted by this breach. If a Marriott, Sheraton or Hilton you stayed at is not managed by Pyramid, it is very unlikely that any guest information pertaining to you was exposed in this particular leak. There is cause for concern going forward, however, as the security information that was exposed could potentially be used to compromise other locations in these hotel chains.

What was the breach window?

The breach was discovered by security researchers at vpnMentor on May 27. The exposed data they found dates back to April 19 of this year. Pyramid Hotel Group announced that they had fixed the issue on May 29.

The trouble with a third party data breach such as this is that it is not simply backward-looking, as most personal information breaches are. Any unauthorized visitors may have taken home goodies that could be used to compromise systems in the future.

As of now, it is unknown if anyone else accessed the security logs during the breach window before the vpnMentor researchers found them.

Dan Tuchler, CMO at SecurityFirst, added:

“While the security teams at the Pyramid Hotel Group and the affected hotels are having a very bad day, we applaud the vigilance of the researchers. They are a vital part of the cat and mouse game between attackers and defenders, and even though these disclosures may be painful they help us harden our infrastructure.”

How did this particular data breach happen?

The vpnMentor researchers came across this third party data breach on May 27. The source of the issue is, ironically, an intrusion detection system called Wazuh. The researchers believe that a mishandled system update or some sort of maintenance may have caused Wazuh to start making its security audit logs available to anyone who found and connected to the Pyramid Hotel Group server.

The exposed logs were found in a Elasticsearch database instance in Port 9200, a common place for attackers to probe for misconfiguration-based vulnerabilities just like this one. A similar flaw led to the November 2018 leak of 57 million United States citizen records.

What was exposed in this breach?

The data leak did not give hackers a direct path into hotel systems, but it gave them nearly all the research material they could possibly want for formulating an attack.

In effect, the security logs let anyone see what cybersecurity personnel at Pyramid Hotel Group and its properties can see. That means information like all of the devices connected to the network, and whether or not they have anti-malware measures installed or have already been compromised in some way.

The logs also contain information ideal for conducting phishing attacks against members of the hotel organization outside of the IT department: the full names and email addresses of security personnel, the security policies, device configuration errors, security policy violations and login attempts by various employees and guests among other choice bits of information. The server API key and password were apparently also in the logs, which would allow attackers to very effectively spoof legitimate internal communications.

Even more worrying is the fact that some physical security measures appeared to be accessible through the network at some properties: things like hotel door locks, safe locks and cameras.

Third party data breaches in the hospitality industry

We’ve seen no end of high-profile data breaches in the last few years, including one that involved Marriott’s Starwood hotels last year. Lodging and travel companies are not spoken of in cybersecurity circles as frequently as finance or social media companies are, but perhaps they should be. As this and other recent breaches demonstrate, they hold a massive amount of information of interest to cyber criminals: credit and debit card numbers, passport and driver’s license numbers, corporate account information, reservations system data and more.

The “loyalty programs” that many hotels offer have also recently become a lucrative target for hackers, as fraud in this area is often relatively simple and the points can be transferred to various gift card programs and quickly spent.

Though they are a rich target for hackers and hold a comparable amount of sensitive personal data, hospitality industry companies are usually not regulated as tightly as finance and medical companies are in terms of data handling and privacy.

Even if companies are on top of their internal security, vendor compromise can undo all of their efforts when a third party data breach of this nature occurs. This particular incident is a cautionary tale. Pyramid Hotel Group was likely trusted with sensitive internal information from client companies like Marriott and Hilton, information that may be parlayed into a successful future attack on those companies.

Pankaj Parekh, Chief Product and Strategy Officer at SecurityFirst, said:

“This breach is an example of a combination of vulnerabilities. There is a business partner, outside of the direct control of the companies affected. Keeping strong security practices for data shared between business partners is an important area of concern.

“In addition, this type of data is outside of the mainstream attention of security practitioners, who have been most focused on protecting the privacy of customer data. Even though it’s obvious that security parameters such as these should be very carefully protected, this data was not secured. This is like putting a security system in your house and then posting the pass code on your front door.”

As is the case with any third party data breach issue, the key is to rigorously screen and select vendors based on their security policies and practices and willingness to be audited regularly. Given that supply chains rely on the rapid sharing of all sorts of data, it is usually very difficult for any company to “lock down” their communications with all vendors and partners at the local end. While there are certain prudent layers of security and resiliency to implement, ultimately prevention of a third party data breach comes down to relying on business partners to properly handle their own internal security.

Ameya Talwalkar, Co-Founder and CPO at Cequence Security, elaborates on the problems caused by this third party data breach:

“Leaving applications that store sensitive information open to the Internet because of policy mismanagement or misconfiguration is a growing problem as cloud adoption grows. Although it results in security breaches which cause extensive damage to customers, losses to enterprises from fraud and brand loss, this is really not a traditional security attack problem. It’s more an issue of internal security discipline.  Anytime an application is deployed on public cloud infrastructure, steps need to be taken to protect it, limiting access using appropriate security tools. Elasticsearch does not have built-in security – as it is expected to be talking only to other trusted applications, and only authenticated and authorized user sessions should be allowed to access these applications. The enforcement of authenticated access is (typically) delegated to appropriate security zoning and policy configuration, which clearly has not been done in this case. One other significant commonality among these breaches – they are usually discovered after the sensitive data has been scraped completely, usually when it makes it way to the dark web. There is no real-time detection and protection against these incidents – but there needs to be.

“The stolen data represents a significant trove of information for bad actors to use to attack any one of the target hotels. But taken collectively, it supplies bad actors with 2 of the 3 key requirements needed to execute an automated attack: 1) some form of user authentication/credentials, and 2) infrastructure, typically compromised servers, PCs, laptops, devices. The 3rd requirement would be a management tool like Snipr, Sentry MBA, to execute automated attacks targeting business logic abuse (account take offers/ credential stuffing, loyalty program fraud, etc.) of the hotel’s public facing web, mobile, and API-based applications can be executed.”

Though customers of the affected hotel brands don’t have anything immediate to worry about if they did not have a recent stay at a Pyramid-managed property, increased vigilance regarding communications coming from these hotel groups would be prudent. For business owners, this particular third party data breach serves as yet another reminder to review supply chain security and ensure that vendor contracts are specifying adequate security conditions.