Security & Fraud

Aavgo Breach Reveals Hotel Guests’ Personal Data


A security lapse at a hotel management startup has exposed hotel bookings and guests’ personal information.

Aavgo, a hospitality tech company based in San Francisco, secured a server it had left online without a password after TechCrunch reached out to the firm.

The server, which was open for three weeks, was discovered by security researcher Daniel Brown. The  exposed database had daily updating logs of the back-end computer system, as well as some personal booking data including names, email addresses, phone numbers, room types, prices, the location of the hotel and the room and the dates and times of check-in and check-out.  The database also included room service orders, guest complaints, invoices and other sensitive information used for accessing the Aavgo system.

Fortunately, there was no financial information in the database aside from the credit card issuer.

Several large hotel chains, including Holiday Inn Express and Zenique Hotels, use Aavgo’s technology. One of those impacted by the breach include Guestline, a property management company for hoteliers, which used Aavgo in two hotels, and currently facilitates 6.3 million bookings a year. Its data protection officer James Padkin said data protection is of “paramount importance” and the company has “ceased our very limited trial of the AavGo housekeeping app.”

Although Brown reached out to AavGo, it wasn’t until TechCrunch contacted its chief executive, Mrunal Desai, that the company finally shut down the database.

“We had no data breach; however, we did find a vulnerability,” said Desai. He said data on 300 hotel rooms was exposed. However, Brown said based on his review of the data, that the number is likely higher. Desai added that the company has “already started informing our customers about this vulnerability.”

TechCrunch was also contacted by the company’s outside counsel, a Texas-based law firm, which threatened “immediate legal action” before the report was published.


Featured PYMNTS Study: 

With eyes on lowering costs to improving cash flow, 85 percent of U.S. firms plan to make real-time payments integral to their operations within three years. However, some firms still feel technical barriers stand in the way. In the January 2020 Making Real-Time Payments A Reality Study, PYMNTS surveyed more than 500 financial executives to examine what it will take to channel RTP interest into real-world adoption. Here’s what we learned.