Magazine Button
Security platform leaking hotel security logs, including Marriott properties

Security platform leaking hotel security logs, including Marriott properties

Enterprise SecurityRetailTop Stories

vpnMentor’s research team has recently discovered that Marriott and other hotel brands managed by The Pyramid Hotel Group, have experienced a cybersecurity data leak revealing vulnerabilities that could be utilised for a massive future attack.

Led by hacktivists Noam Rotem and Ran Locar, vpnMentor’s researchers discovered a breach that exposes 85.4GB of security audit logs, which include personally identifying information (PII) of employees of the affected companies and date back as far as April 19, 2019. This date may indicate system setup, reconfiguration, or maintenance that impacted the server and made it open and available to the world.

The Pyramid Hotel Group utilises Wazuh – an open source intrusion detection system – on an unsecured server that is leaking information regarding its operating systems, security policies, internal networks and application logs.

Information included in the database

The unsecured data that is publicly visible include both monitoring and alerts, reported system errors, misconfiguration, policy violations, potential attempted malicious breaches, and other cybersecurity events.

Affected parties include Tarrytown House Estate (New York), Carton House Luxury Hotel (Ireland), Aloft Hotels (Florida), Temple Bar Hotel (Ireland) and other brands in the Pyramid Hotel Group.

What we can see through the data leak includes – but is not limited to – the following sensitive details:

  • Server API key and password
  • Device names
  • IP addresses of incoming connections to the system and geolocation
  • Firewall and open ports information
  • Malware alerts
  • Restricted applications
  • Login attempts
  • Brute force attack detection
  • Local computer name and addresses, including alerts of which of them has no antivirus installed
  • Virus and Malware detected on various machines
  • Application errors
  • Server names and OS details
  • Information identifying cybersecurity policies
  • Employees’ full names and usernames
  • Other telling security data

The danger of exposing this information

This database gives any would-be attacker the ability to monitor the hotels’ network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain. It also enables the attacker to see what the security team sees, learn from their attempts based on the alerts raised by the systems and adjust their attacks accordingly. It’s as if the nefarious individuals have their own camera looking in on the company’s security office.

In the worst case scenario, this leak has the potential to put not only systems at risk, but the physical security hotel guests and other patrons as well. Our team found multiple devices that control hotel locking mechanisms, electronic in-room safes and other physical security management systems. Especially in the wrong hands, this drives home the very real danger here of when cybersecurity flaws threaten real-world security.

With this window into the cybersecurity events and policies, it is possible to fine-tune tactics to gain entry into the systems of the affected companies. From what we can see, it’s possible to understand the naming convention used by the organisation, its various domains and domain control, the database(s) used and other important information leading to potential penetration.

This data leak is disclosing information that is private, secret and would typically be for the eyes of an internal-team or MSSP only. The irony is that what is being exposed is from a system that is meant to protect the company from such vulnerabilities.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive