‘FairBridge Inn & Suites’ Unprotected Database Exposed 150,000 Customers

• ‘FairBridge Inn & Suites’ is the latest hotel chain to blunder by not setting up a password for their database.
• The franchise hasn’t provided any details about how long the database was left online, and which locations this impacted.
• The booking details of about 150,000 customers may have fallen into the wrong hands.

'FairBridge Inn & Suites' has left an unprotected database online for anyone with a browser to access. It contained approximately 8.1 million NGINX log records. Most of these entries have little to no value for malicious actors, but, unfortunately, 1.85% of them (150,000) are customer profiles. It means that the Washington-based hotel giant, which operates 37 locations across 24 states, has compromised its visitors' privacy. Leaks like this one are particularly sensitive due to the nature of the services offered. People may have reasons to hide their stay in a hotel, so having this info leaked puts them at high risk of being extorted by malicious individuals.

The discovery of the leaky database was made by researcher Jeremiah Fowler, on December 11, 2019. After the researcher located the information that linked the database to its owner, he contacted the company to apprise of the problem. A representative of 'FairBridge Inn & Suites' confirmed the ownership and secured the database immediately. However, he had not provided any details about when the misconfiguration happened. It is not known how long the database remained accessible, and whether or not anyone other than Fowler managed to look inside. Also, there has been no official statement about sending any notifications to the affected customers. Everyone knows this is always a bad strategy to follow in such cases. Let's hope that they are just investigating the incident and that they will send out notices of warning to the exposed clients soon.

In detail, the database contained the following things:

• 8.1 million NGINX log records.
• 150,000 customer profiles – each entry contained email address, reservation number, customer IP, location data (from online booking), employee ID, and other sensitive information.
• Entries concerning IP addresses, Ports, and Pathways – this information is used by cyber-criminals to infiltrate even deeper in the network of the exposed entities.

Source: Security Discovery

Source: Security Discovery

The problem with online bookings for hotels is that customers can’t go incognito and use anonymous emails and payment methods. Moreover, when they appear on the premises, they are typically required to show their real ID.

All that said, hotel companies should be a lot more careful with how they handle customer data. Last month, a Japanese sex hotel search engine exposed customer data, and, in August 2019, Choice Hotels lost 700k of sensitive records to hackers. And, of course, no one can forget the massive 500-million-customers data leak that happened after hackers breached the Marriot Starwood Guest Reservation database in December 2018.