Click For Photo: https://techcrunch.com/wp-content/uploads/2019/07/gettyimages-489733108.jpg?w=602
A security lapse at a hotel management startup has exposed hotel bookings and guests’ personal information.
The security lapse was resolved Monday after TechCrunch reached out to Aavgo, a hospitality tech company based in San Francisco, which secured a server it had left online without a password.
Server - Weeks - Security - Researcher - Daniel
The server was open for three weeks — long enough for security researcher Daniel Brown to find the database.
He shared his findings exclusively with TechCrunch, then published them.
Aavgo - Bills - Way - Hotels - Operations
Aavgo bills itself as a way for hotels to organize their operations by using several connected apps — one for use by guests using tablets installed in their hotel rooms for entertainment, ordering room service and checking out, and another for staff to communicate with each other, file maintenance tickets and manage housekeeping.
Several large hotel chains, including Holiday Inn Express and Zenique Hotels, use Aavgo’s technology in their properties.
Database - Logs - Computer - System - Records
The database contained daily updating logs of the back-end computer system. Although most of the records were logs of computer commands critical to the running of the system, we found within personal booking data — including names, email addresses, phone numbers, room types, prices, the location of the hotel and the room and the dates and times of check-in and check-out.
There was no financial information in the database beyond the credit card issuer.
Database - Room - Service - Orders - Complaints
The database also contained room service orders, guest complaints, invoices and other sensitive information used for accessing the Aavgo system, the researcher said.
Many of the records were related to its corporate hotelier customers.
One of those customers included...
Wake Up To Breaking News!