Cybersecurity firm Symantec claims 67 percent of over 1,500 hotels tested leaked sensitive data
If you have booked a holiday through a hotel's website, then there is a good chance that your personal details — including your name, email address, phone, and passport number — were accidentally leaked to third-party websites.
This is the claim of cybersecurity research firm Symantec, which says it looked at the websites of over 1,500 hotels in more than 54 countries worldwide. The hotels ranged from two-star to five-star, and included independent companies as well as hotels from large chains of popular resorts.
The report comes soon after Marriott International disclosed in November how it had exposed 500 million guest records, in one of the largest-ever data breaches. However, Symantec said Marriott was not included in its study of hotel websites.
Symantec recognizes that advertisers regularly track users' browsing habits across the web, but in the examples it found here the guest information unintentionally shared "could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether."
This news comes almost a year after the General Data Protection Regulation (GDPR) came into effect across Europe, which is supposed to stop this kind of data misuse from happening, and fine organizations found to handle customer data recklessly.
Wueest continued: "The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations."
67 percent of hotel websites accidentally leaked customer data
The majority of hotel websites tested, Wueest said, leaked personal data, including:
An issue Symantec discovered was how 57 percent of hotels tested send an email with a link to customers which, when clicked, logs them straight into their booking confirmation page - no username, password or account required. This would be fine if handled properly, but "many sites directly load additional content on the same website, such as advertisements."
This means, Wueest wrote, "Direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that an average of 176 requests are generated per booking...This number indicates that the booking data could be shared widely."
This leaked data could be used, Symantec said, to track the whereabouts of influential people like business owners, celebrities and government employees.
Wueest said a quarter of the 1,500-plus hotels he contacted did not reply within six weeks when notified of their irresponsible data practices, and for those who did, the average reply time for 10 days. Some admitted they were still updating their systems to be compliant with GDRP.
The researcher also found how some hotel websites could have their booking pages 'brute-forced' - in other words, a computer could be used to repeatedly guess at booking reference codes before discovering a real one. Some did not require the guest name or any other information, so with only the correctly-guessed booking reference, guest details would be revealed.
Wueest said: "I found multiple examples of these coding mistakes, which would have allowed me to not only access all active reservations for a large hotel chain, but also view every valid flight ticket of an international airline."
GearBrain TV: How to Secure your Smart Devices www.youtube.com