IF you, or anyone you know, recently booked themselves an exotic getaway at a particular luxury hotel chain in Vietnam, you might want to get a new credit card.
Last week, researchers at the MacKeeper Security Research Center found that the Silverland Hotel in Ho Chi Minh City had stored all their customers’ payment and personal data on an unsecured database.
The database, which had been left exposed for 62 days, included detailed credit card information (card type, number, name on card, expiration date, and CVV), guest details (name, age, gender, phone, email address), IP addresses, flight information, and special requests.
The researchers found 6,377 items on the database, which was publicly available and lacking in any form of security, including a password for access. Both the database and the Silverland Hotel’s website were hosted on the same IP address.
It took the hotel two weeks after being informed of the database on August 12 to put a password on it. “The MacKeeper Security Research Center sent multiple emails, used the live chat feature on the website, and even spoke with the assistant of the hotel owner using the private phone number found on the domain registry,” wrote the researchers.
“The slow response left customers exposed as they continued to add additional credit card numbers to the database.” The researchers don’t know if the data was accessed by anyone else, or if the hotel even notified their customers of the leak.
— MacKeeper (@MacKeeper) August 31, 2016
According to Motherboard, the database was hosted on MongoDB, an open source software that allows companies to create document-oriented databases. However, MongoDB itself is not insecure, but the companies who use it sometimes forget to set it up securely.
Silverland Hotels told Tech Wire Asia: “We’re working with Mackeeper to verify the information in their blog. Currently, our database system is secured and our website is still working.”