Best Western Autoclerk Hacked – millions of records exposed in clear text


Best Western Hotel and Resorts owned online reservations system Autoclerk has been hacked.

A research team at vpnMentor exposed the179GB Autoclerk hack. The effect is global, with millions of new records each day. 

Autoclerk (website here) is a combined reservations system for hotels, accommodation providers, travel agencies and more. Its features include AWS server-and-cloud-based Property Management Systems (PMS), a web booking engine, Central Reservations Systems, and hotel PMS interfaces.

 It also connects to various online booking systems including Synxis Hospitality Solutions (Sabre), myHMS and CleanMeNext, Open Travel and HAPI Cloud that interconnects many other travel and hospitality systems.


A significant Autoclerk user via a third-party travel provider is the US Government, it’s military and Department of Homeland Security.

Many records contain sensitive personal details of officials. At a minimum the data includes

  • Full name
  • Date of birth
  • Home address
  • Phone number
  • Dates & costs of travel
  • Masked credit card details
  • And check-in time and room number

What to do?

This data is combined with personal profiles held on the dark web to assist in ID Theft. If you have used Best Western be alert for increased phishing scams (criminals posing as Best Western employees able to access your stay information) and use a VPN when online, especially when shopping or banking.

vpnMentor has a compelling reading guide to online privacy here.

GadgetGuy’s take – The Autoclerk breach is typical of poorly written software

Autoclerk (and its many fingers in the travel pie) is an excellent piece of functional software. But so much software is written over the years and continues to be added to with little thought to how these legacy systems can withstand modern penetration techniques.

A great example of poor, shoddy and amateur software is Facebook written by students in one of the world’s most vulnerable languages – PHP. Again, we are not commenting on its functionality, but it’s legacy heritage shows in things like the Cambridge Analytica leak.

Back to Autoclerk – it is not the first time this has happened. You can read of an alleged hack discovered in 2008 where “The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.”