Aavgo security lapse exposed hotel bookings

A security lapse at a hotel management startup has exposed hotel bookings and guests’ personal information.

The security lapse was resolved Monday after TechCrunch reached out to Aavgo, a hospitality tech company based in San Francisco, which secured a server it had left online without a password.

The server was open for three weeks — long enough for security researcher Daniel Brown to find the database.

He shared his findings exclusively with TechCrunch, then published them.

Aavgo bills itself as a way for hotels to organize their operations by using several connected apps — one for use by guests using tablets installed in their hotel rooms for entertainment, ordering room service and checking out, and another for staff to communicate with each other, file maintenance tickets and manage housekeeping.

Several large hotel chains, including Holiday Inn Express and Zenique Hotels, use Aavgo’s technology in their properties.

The database contained daily updating logs of the back-end computer system. Although most of the records were logs of computer commands critical to the running of the system, we found within personal booking data — including names, email addresses, phone numbers, room types, prices, the location of the hotel and the room and the dates and times of check-in and check-out.

There was no financial information in the database beyond the credit card issuer.

The database also contained room service orders, guest complaints, invoices and other sensitive information used for accessing the Aavgo system, the researcher said.

Many of the records were related to its corporate hotelier customers.

One of those customers included Guestline, a property management company for hoteliers, which used Aavgo in two hotels. Guestline facilities 6.3 million bookings a year.

When reached, Guestline’s data protection officer James Padkin said data protection is of “paramount importance” and the company has “ceased our very limited trial of the AavGo housekeeping app.”

After the company failed to respond to the researcher’s initial email, Aavgo shut down the database a few hours after TechCrunch made contact with its chief executive, Mrunal Desai.

“We had no data breach; however, we did find a vulnerability,” said Desai. He said data on 300 hotel rooms was exposed. Brown said based on his review of the data, however, that the number is likely higher. Desai added that the company has “already started informing our customers about this vulnerability.”

Midway during our correspondence, Desai copied the company’s outside counsel, a Texas-based law firm, which threatened “immediate legal action” ahead of publishing this report.

Aavgo becomes the latest hospitality company embroiled in a hotel-related security incident in recent years.

In 2017, hotel booking service Sabre confirmed a seven-months long data breach of its SynXis reservation system, affecting more than 36,000 hotels globally and millions of credit cards.

A year later, Marriott-owned Starwood admitted a breach that affected up to 383 million hotel guests around the world. Earlier this month U.K. authorities said they would fine the company $123 million for the breach under the new GDPR regime, which affected about 30 million customers in the European Union.

Updated to clarify that Guestline’s use of Aavgo was limited to two hotels and one of many technologies used.

Read more: