And it continues to be a major issue for some reason.
This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.
The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.
The sever has been connected to the Pyramid Hotel Group. Their web site says they provide superior operations, owner relations and support services to hotels and their investors. IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.
The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.
IN THE U.S., THERE MAY BE NO LEGAL REQUIREMENT TO DISCLOSE BREACHES OF THIS TYPE BECAUSE THEY MAY NOT CONTAIN AND NON-PUBLIC PERSONAL INFORMATION.
It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.
Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.
What’s in the data?
- Information on hotel room locks and room safes .
- Physical security management equipment.
- Server access API keys
- Device names
- Firewall and open port data
- Malware alerts
- Login attempt information
- Application errors
- Hotel employee names and usernames
- Local PC names and OS details
- Server names and OS details
- security policy details
- and a bunch of other information.
In other words, a veritable road map for the bad-peops.
Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.
Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.
Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.
And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.
Information for this post came from ZDNet.