Data Protection
iStock
Two-thirds of hotel websites found to leak personal guest data
Cybersecurity firm Symantec claims 67 percent of over 1,500 hotels tested leaked sensitive data
Cybersecurity firm Symantec claims 67 percent of over 1,500 hotels tested leaked sensitive data
If you have booked a holiday through a hotel's website, then there is a good chance that your personal details — including your name, email address, phone, and passport number — were accidentally leaked to third-party websites.
This is the claim of cybersecurity research firm Symantec, which says it looked at the websites of over 1,500 hotels in more than 54 countries worldwide. The hotels ranged from two-star to five-star, and included independent companies as well as hotels from large chains of popular resorts.
Read More:
The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.
Candid Wueest, principal threat researcher at Symantec, said: "I found that two in three, or 67 percent, of these [1,500+ hotel websites] are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them had a privacy policy, but none mentioned this behavior explicitly."
Symantec recognizes that advertisers regularly track users' browsing habits across the web, but in the examples it found here the guest information unintentionally shared "could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether."
This news comes almost a year, after the General Data Protection Regulation (GDPR) came into effect across Europe, which is supposed to stop this kind of data misuse from happening and fine organizations, found to handle customer data recklessly.
Wueest continued: "The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations."
67 percent of hotel websites accidentally leaked customer data
The majority of hotel websites tested, Wueest said, leaked personal data, including:
An issue Symantec discovered was that 57 percent of hotels tested send an email with a link to customers. When clicked, the link logs customers straight into their booking confirmation page—no username, password, or account is required. This would be fine if handled properly, but "many sites directly load additional content on the same website, such as advertisements."
This means, Wueest wrote, "Direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that 176 requests are generated per booking...This number indicates that the booking data could be shared widely."
Symantec said this leaked data could be used to track the whereabouts of influential people like business owners, celebrities, and government employees.
Wueest said a quarter of the 1,500-plus hotels he contacted did not reply within six weeks when notified of their irresponsible data practices, and for those who did, the average reply time for 10 days. Some admitted they were still updating their systems to be compliant with GDRP.
The researcher also found that some hotel websites could have their booking pages 'brute-forced'—in other words, a computer could be used to repeatedly guess at booking reference codes before discovering a real one. Some did not require the guest name or any other information, so guest details would be revealed using only the correctly guessed booking reference.
Wueest said, "I found multiple examples of these coding mistakes, which would have allowed me to access all active reservations for a large hotel chain and view every valid flight ticket of an international airline."
GearBrain TV: How to Secure your Smart Deviceswww.youtube.com
GearBrain Compatibility Find Engine
A pioneering recommendation platform where you can research,
discover, buy, and learn how to connect and optimize smart devices.
Join our community! Ask and answer questions about smart devices and save yours in My Gear.