SECURITY LAPSE EXPOSED

A US hotel management company has suffered a security lapse, exposing bookings and guests’ personal information.

San Francisco-based hospitality tech start-up AavGo resolved the lapse, which occurred after a server had been left online without a password. The server was open for three weeks.

AavGo provides hotels with a management system based on several connected apps – one for use by guests using tablets installed in their hotel rooms, and another for staff to communicate with each other. Several large hotel chains use Aavgo’s technology in their properties, including Holiday Inn Express, Days Inn, and BestWestern Hotels & Resorts.

The security lapse was discovered by researcher Daniel Brown, who works as a ‘white hat hacker’, testing companies’ online security services, publishing his findings online.

“Over eight million entries are available in this data leak, with a combination of company, client, and guest details included,” said Brown. “Hotel guest data is made available, and provides enough details that a hacker could easily find out with minimal internet research what their home bathroom looks like (i.e. through real estate websites) and which schools their children attend (public records of municipal zoning.”

The findings come just weeks after Marriott was issued with an almost £100m fine following a security leak, in which the information of approximately 339 million guests was exposed.