'Sensitive US Army data 'exposed by online leak'

image copyrightGetty Images
image captionInformation about where serving soldiers were staying was easily accessible, researchers say

The travel details of large numbers of US government and military personnel have been exposed in a data leak, a security company says.

VPNMentor said 179GB of data had been accessible on an unsecured cloud server run by a travel services company.

The AutoClerk database had contained sensitive information about serving soldiers and civilians, it said

The data had now been locked down, after the US Department of Defense had intervened, VPNMentor said.

Travel costs

The information exposed had included full names, birth dates, addresses, phone numbers and travel itinerary details, including details of flights to sensitive locations such as Moscow and Tel Aviv as well as arrival times at hotels and, in some cases, room numbers, VPNMentor said.

Payment card numbers had been included but obscured with standard security systems.

Researchers Noam Rotem and Ran Locar said they had found the exposed database, which provided an "invaluable insight into the operations and activities of the US government and military personnel", while carrying out a large-scale web scanning and mapping project.

"For the US government, alarm bells should be ringing," said Mr Rotem and Mr Locar.

Data on more than 100,000 other trips, booked by civilians, had also been exposed, they said.

VPNMentor said it had notified AutoClerk about the data it had found but received no response.

It had also contacted the US Computer Emergency Response Team and the US Department of Defense with its findings.

And soon after officials at the Pentagon had been notified, access to the database had been locked.

Neither AutoClerk, which handles itinerary and booking data for several hotel chains and other travel companies, nor parent company Best Western have responded to a BBC News request for comment.

The data leak is the latest in a series to hit travel companies.

Choice Hotels, Intercontinental, Radisson, Chinese hotel chain Huazhu, Hyatt, Hilton, Teletext Holidays and many others have all lost data or been hit by hackers.

In July, the UK's information commissioner announced an intention to fine hotel chain Marriott £99m over a 2018 data breach that saw details on 339 million guests go astray.

More on this story