Abstract
The hospitality industry has undergone monumental changes with the advent of online booking and mobile connectivity. The widespread use of mobile booking apps, both client-owned and third party administered, has led to a skyrocketing number of visitors for travel and stay, owing to the ease of use of the apps. However, this has also made the critical consumer data, pertaining to travel and financial details, susceptible to the prying eyes of malicious users. So, when a leading player in the hospitality industry wanted to develop a new mobile platform, they had to be absolutely sure to secure it even before the launch. The company had previously undergone a huge security breach on its online booking services, and therefore, could not have the same thing happen again.
Challenge
The hospitality firm dealt with millions of users’ travel and financial details required for online reservations. The existing security protocols was known to have been breached in the past, leading to a leak of individual and firm data. The company required a sophisticated and foolproof security system incorporated in the mobile application and the database.
This accumulated in the client’s requirement of a swift upgradation of the legacy security implementation without impacting the ongoing operations on a day-to-day level.
Solution
The first action undertaken by Mindtree was a full diagnosis of the mobile application. This revealed several misconfigurations on the client servers, and the presence of backdoors and critical exploitable vulnerabilities. As a result, the entire database was accessible from different instances tested for. Based on the results generated from the passive attack scenarios, Mindtree provided the Application Security and Infrastructure Security services for the client.
Next, Mindtree’s testing team created threat models and attack vectors for the PoC of the solution using the BADO Threat Assessment Framework. Once the PoC was tested and approved by the client board, the model was used for vulnerability assessment. The results showed various encryption, admin and SQL database vulnerabilities (refer diagram).
Finally, these vulnerabilities were fixed and suggestions were generated for further mobile application security and database security measures. Further, Machine Learning-enabled Deep Exploit program was created to collect future attack patterns data to modify and protect the application from probable attacks:
Impact
- The client had undergone security breaches in the past that had resulted in high costs for data retrieval leaving a negative image of the company.
- Initial diagnosis exposed over 20 critical vulnerabilities and several misconfigurations on the mobile application developed by the client before the revamped application was introduced to the end-users.
- The solutions and patches provided by Mindtree helped secure the critical data of over 5 million users of the application.
- The previously undiagnosed vulnerabilities were exploited and rapid monitoring of the database was carried out to detect further weaknesses in the system, thus helping the client avoid the recurrence of any crucial failures it experienced before
Download the case study to learn more
