Two-thirds of hotel websites found to leak personal guest data
If you have booked a holiday through a hotel's website, then there is a good chance that your personal details — including your name, email address, phone, and passport number — were accidentally leaked to third-party websites.
This is the claim of cybersecurity research firm Symantec, which says it looked at the websites of over 1,500 hotels in more than 54 countries worldwide. The hotels ranged from two-star to five-star, and included independent companies as well as hotels from large chains of popular resorts.
Read More:
- Data Breach Weekly Security Report
- It's been a bad start to the year for the safety of your data
- Dating app announces data breach - on Valentine's Day
The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records, in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.
Candid Wueest, principal threat researcher at Symantec, said: "I found that two in three, or 67 percent, of these [1,500+ hotel websites] are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly."
Symantec recognizes that advertisers regularly track users' browsing habits across the web, but in the examples it found here the guest information unintentionally shared "could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether."
This news comes almost a year after the General Data Protection Regulation (GDPR) came into effect across Europe, which is supposed to stop this kind of data misuse from happening, and fine organizations found to handle customer data recklessly.
Wueest continued: "The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations."
The majority of hotel websites tested, Wueest said, leaked personal data, including:
- Full customer name
- Email address
- Postal address
- Mobile phone number
- Last four digits of credit card
- Credit card type and expiry date
- Passport number
An issue Symantec discovered was how 57 percent of hotels tested send an email with a link to customers which, when clicked, logs them straight into their booking confirmation page - no username, password or account required. This would be fine if handled properly, but "many sites directly load additional content on the same website, such as advertisements."
This means, Wueest wrote, "Direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that an average of 176 requests are generated per booking...This number indicates that the booking data could be shared widely."
This leaked data could be used, Symantec said, to track the whereabouts of influential people like business owners, celebrities and government employees.
Wueest said a quarter of the 1,500-plus hotels he contacted did not reply within six weeks when notified of their irresponsible data practices, and for those who did, the average reply time for 10 days. Some admitted they were still updating their systems to be compliant with GDRP.
The researcher also found how some hotel websites could have their booking pages 'brute-forced' - in other words, a computer could be used to repeatedly guess at booking reference codes before discovering a real one. Some did not require the guest name or any other information, so with only the correctly-guessed booking reference, guest details would be revealed.
Wueest said: "I found multiple examples of these coding mistakes, which would have allowed me to not only access all active reservations for a large hotel chain, but also view every valid flight ticket of an international airline."