Luxury Hotel leaks thousands of customers’ credit cards online
[This post has been updated to include statements on behalf of Silverland Hotels & Spas’ IT team - in italic]
The MacKeeper Security Research Center has discovered an open database belonging to the Silverland Hotel in Ho Chi Minh City, Viet Nam with thousands of unencrypted credit cards.
The cardholder accounts include the payment information of Australian, US, UK citizens and a range of international guests who have stayed at the hotel.
Imagine you have saved and planned for your perfect holiday trip to Vietnam’s capital, you booked your luxury hotel and of course you wouldn't expect your card details and personal info available online. Along with the payment information, database contained also login details, IP and special requests of the guests. The total number of entries reached 6377 items (i.e. credit cards details).
This open database was publically available and required no password to access. The exposed database and the website were hosted on the same IP address.
The first notification was sent to the hotel email address immediately after we have identified the exposure during our weekly security scan on August 12th.
[The first email eventually discovered by Silverland, after being contacted by a customer late in the evening of August 29, in the hotel’s junk mail folder was dated August 17 and contained the August 12 email, which email did not include any address where it was purportedly sent].
[On August 30, 2016, MacKeeper engaged in a live chat with Silverland discussing the data leak. That very same day, August 30, Silverlands’ IT team contacted Hostgator about the problem and port 27017 was immediately closed with password protection. On September 6, 2016, Silverland completed the vulnerability assessment verifying that Silverland’s web server was secure. Silverland’s customers that may have been effected were notified of the data leak by email on September 7, 2016]
The MacKeeper Security Research Center sent multiple emails, used the live chat feature on the website and spoke with the assistant of the hotel owner using the private phone number found on the domain registry. Customers exposed as they continued to add additional credit card numbers to the database.
It is unclear if the data was accessed by anyone else.
The Silverland Hotels & Spas’ IT team has secured the port in question with password protection, the web server has been secured, the customers that may have been effected have been notified, and Silverland Hotels & Spas is working with the banking institutions to ensure that any potential problems are covered. Additionally, Silverland Hotels & Spas has retained U.S. (Colorado) attorney Ira J. Bornstein to assist them in handling this matter.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.