In July of 2019, a breach was exposed involving the global hospitality company, Choice Hotels. The breach involved a MongoDB database hosted by a vendor that provides services to Choice Hotels. Like many breaches, it was completely unnoticed by internal personnel but was discovered by an outside security consultant who periodically scans the Internet for open connections. The database was exposed to the outside world through an open connection requiring no password or authentication means to access it. Upon discovering the open database, the consultant found a digital calling card left behind informing the company the perpetrator was in possession of the database. A ransom demand of $4,300 was also included. Assuming that the intruder intended to encrypt the database, the attempt failed so the database remained intact. The vendor secured the database and closed the connection within four days of the discovery.
The database contained 5.7 million records, although Choice Hotels stated that most of those were test records and that only 700,000 were actual customers. The records of these former guests included details such as full names, addresses, phone numbers, email numbers, and consent statuses. Company management emphasized the point that no payment, password or reservation information was compromised. They also stated that the company would contact the affected customers in the coming days.
No doubt, those 700,000 guests can exhale a sigh of relief that no payment information or highly confidential data was involved. However, just because there was no monetary impact, does not mean that those people are out of trouble. This is one of the misconceptions of large data breaches. The involved costs are more than just monetary. Consider the circumstances if you are one 700,000 people whose information was exposed. A wrongdoer now has your email and mobile cell number. Chances are you will experience an increased number of phishing attacks over the coming years, as the criminal world now knows they have a real working email address. Even if the original perpetrator does not use the stolen address, the perpetrator will sell it as part of a bulk transaction involving thousands of email addresses. The same is true for SMS phishing as well.
It goes beyond just the increased number of potential phishing attacks. Scammers can use the personal details currently in possession to make their attacks more convincing. Future perpetrators might even impersonate Choice Hotels and try to obtain information that is more sensitive. There are many long-term consequences of a data breach and the unfortunate victims are then targeted for years into the future.
Many companies are turning to the cloud for business-critical services. Ironically, one of the driving motivators is security related. While moving web-based applications to a third party may be a way to pass the cost and burden of securing your systems, it does not negate your responsibility to protect that data. This is why it is critically important to vet all of your vendors. This should include a formal request to provide you their implemented IT security measures, controls, and standards. While it may be uncomfortable, asking a long-time vendor you have shared a constructive relationship with, it will be even more uncomfortable making those calls to thousands of affected parties. Your data, as well as your corporate reputation, is only as strong as your weakest link. Vendors should be treated as simply another site within your IT estate.
The breach is another example of just how many open connections there still are throughout the Internet. In January of 2017, hackers targeted some 28,000 MongoDB instances that lacked authentication. MongoDB responded that most of these attacks were due to misconfigured settings, a lack of authentication enforcement and poorly patched systems. Whether it is a large company database or a simple RDP connection, the era of open connections is over. Choice Hotels and its vendor were both lucky that only an amateur infiltrated them. An experienced professional could have hijacked the server and used it to spread malware into other facets of both organizations.
There is another hidden consequence of this and other large-scale breaches. It wasn’t just personal emails that were compromised. Many people book reservations or make online transactions using their work email. This means that their employers will experience some of the fallout as well. Cybercriminals can make quick inroads into an organization through credential stuffing attacks on these captured emails. Once completely compromised, they can perform reconnaissance to learn about the communicative culture of the hosting organization and more importantly, who controls invoices and payroll. It is because of the Choice Hotels Breach and so many other cybersecurity incidents that occur daily that all companies must keep a diligent fight against phishing, BEC and other types of email attacks.
SpamTitan and its portfolio of security controls such as double antivirus protection, sandboxing, data leak prevention, email content filtering, and DMARC authentication enforcement can ensure that your company and your users are not victims of someone else’s carelessness.
Sign-up for email updates...