Aavgo Breach Reveals Hotel Guests’ Personal Data

A security lapse at a hotel management startup has exposed hotel bookings and guests’ personal information.

Aavgo, a hospitality tech company based in San Francisco, secured a server it had left online without a password after TechCrunch reached out to the firm.

The server, which was open for three weeks, was discovered by security researcher Daniel Brown. The  exposed database had daily updating logs of the back-end computer system, as well as some personal booking data including names, email addresses, phone numbers, room types, prices, the location of the hotel and the room and the dates and times of check-in and check-out.  The database also included room service orders, guest complaints, invoices and other sensitive information used for accessing the Aavgo system.

Fortunately, there was no financial information in the database aside from the credit card issuer.

Several large hotel chains, including Holiday Inn Express and Zenique Hotels, use Aavgo’s technology. One of those impacted by the breach include Guestline, a property management company for hoteliers, which used Aavgo in two hotels, and currently facilitates 6.3 million bookings a year. Its data protection officer James Padkin said data protection is of “paramount importance” and the company has “ceased our very limited trial of the AavGo housekeeping app.”

Although Brown reached out to AavGo, it wasn’t until TechCrunch contacted its chief executive, Mrunal Desai, that the company finally shut down the database.

“We had no data breach; however, we did find a vulnerability,” said Desai. He said data on 300 hotel rooms was exposed. However, Brown said based on his review of the data, that the number is likely higher. Desai added that the company has “already started informing our customers about this vulnerability.”

TechCrunch was also contacted by the company’s outside counsel, a Texas-based law firm, which threatened “immediate legal action” before the report was published.