Unprotected Elasticsearch database belonging to Pyramid Hotel Group exposes security logs of major hotel chains

• The impacted properties include Aloft Sarasota of Marriott property, Tarrytown House Estate in New York, Carton House Luxury Hotel in Ireland, Aloft Hotels in Florida, and Temple Bar Hotel in Ireland.
• The data relating to multiple devices including hotel locks, in-room safes, and physical security management equipment were also included in the database.

Security researchers Noam Rotem and Ran Locar from VpnMentor have uncovered an unprotected Elasticsearch database belonging to Pyramid Hotel Group.

The unsecured database has exposed almost 85GB in security logs of major hotels including Marriott locations, Sheraton hotels, and Hilton Hotel properties.

Which hotel chains are impacted?

The security incident has impacted multiple hotels in the US, Hawaii, the Caribbean, Ireland, and the UK managed by the Pyramid Hotel Group which include Marriott locations, Sheraton hotels, Plaza resorts, Hilton Hotel properties, as well as a number of independent hotels.

The impacted properties include Aloft Sarasota of Marriott property, Tarrytown House Estate in New York, Carton House Luxury Hotel in Ireland, Aloft Hotels in Florida, and Temple Bar Hotel in Ireland.

Pyramid has publicly listed 90 properties, however, the leaky database contains data relating to 96 locations.

What data was involved?

• The unsecured database contains sensitive data including security audit logs belonging to the security systems of the above-mentioned properties.
• The database holds information related to server API keys and passwords, device names, IP addresses of incoming connections, firewall, and open port data, malware alerts, restricted applications, login attempt records, application errors, as well as both brute-force attack detection and malware infection logs.
• The leaky server also contains data belonging to hotel employees, such as names, usernames, addresses, local PC names, server names, operating system details, and cybersecurity policy details.
• The data relating to multiple devices including hotel locks, in-room safes, and physical security management equipment were also included in the database.

“In the worst case scenario, this leak has the potential to put not only systems at risk, but the physical security hotel guests and other patrons as well,” researchers said.

The leaky server secured

The researchers including co-founder of vpnMentor Ariel Hochstadt, uncovered the leaky server on May 27, 2019, while using port scanners to map areas of the Internet. The information exposed by the unguarded database is dated back to April 19, 2019.

Upon discovery, the researchers notified Pyramid about the exposed server on May 28, 2019. The company secured the leaky database on May 29, 2019.

“This database gives any would-be attacker the ability to monitor the hotels’ network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain,” researchers said in a blog.