A lack of attention to detail has created an OPSEC (Operational Security) nightmare for many in government as their travel information was left unprotected by a government travel vendor’s subcontractor.
Autoclerk, which is owned by Best Western, laid bare over 179 gigabytes of travel information, which was available to any who could divine the URL of the data which was stored in the cloud (Amazon Web Services). In this instance, the Autoclerk data was connected to booking systems, data services and property management.
The information included names, date of birth, partial credit card data, phone numbers (while traveling and reservation centric), travel cost, itinerary, and hotel data (to include check-in data and room identification).
This is a bonanza for any hostile intelligence service or entity which is targeting a government traveler. In this instance, the cyber security researchers at vpnMentor identified numerous U.S. government travelers, including those from the military and the Department of Human Services.
The information provided any with access historical travel data (excellent for putting together travel patterns for targeted individuals) and future travel data (excellent for planning an operational engagement with targeted individuals).
U.S government slow to react
The vpnMentor team expressed surprise at the slow reaction to their notification that U.S. government data was available to be harvested. They provided a timeline:
- September 13th: Database discovered
- September 13th: U.S. CERT contacted, no response
- September 19th: U.S. Embassy in Tel Aviv notified about the lack of CERT response
- September 26th: Contact made with representative of the Pentagon, who ensures the issue will be dealt with
- October 2nd: Database closed
vpnMentor noted they were able to view the travel information on U.S. Army generals traveling to Moscow, Tel Aviv and other destinations.
Protect what you collect
While the government contracting office has some responsibility to test systems end to end, to include the efforts of subcontractors, the prime contractor also has a responsibility to ensure that data collected is protected.
If your organization is using any of the following services, you will want to have a chin-wag with your contractor to determine how they are protecting the travel data of your organization’s travelers.
- HAPI Cloud
- myHMS and CleanMeNext by Autoclerk
- Synxis by Sabre Hospitality Solutions
Counterintelligence and Travel Advice
This is not the first, nor will it be the last, where a vendor lacks attention to the information security details in protecting government employee and contractor personal information. Readers will recall the recent exposure of hundreds of thousands of resumes due to a poorly configured AWS data store.
Counterintelligence nightmares come at us from every direction, and this is one about which every government traveler must be aware. Facility Security Officers should make sure to remind, during their travel briefings to their constituents, that their specific travel information is not secret and may be available to hostile entities, and to be mindful that they do not control their environment when traveling.
Disclosure: This author is the founder of Securely Travel, a website which focuses on travel security.