Two-thirds of hotel websites leak personal data

Confirmation emails are inadvertently sharing booking details with third-party advertisers

Hotel booking on a tablet

Two-thirds of hotel websites inadvertently leak personal data to third-party companies and leave customers vulnerable to hackers.

This is according to research from cyber security firm Symantec, which found that the majority of booking systems used by hotels could allow scammers to access information such as mobile phone and passport numbers.

Advertisement - Article continues below

The leaks come from confirmation emails, sent to customers often containing an unsecured direct link to their booking. The report suggests that anyone on the same network could intercept the email and modify or cancel their reservation.

Principal threat researcher, Candid Wueest, tested the websites of 1,500 hotels from 54 countries and found that two in three of them, or 67%, had the problem. The security lapses are in breach of the EU's GDPR laws, which state that firms must protect the personal data of customers.

"The fact that this issue exists, despite the GDPR coming into effect in Europe almost one year ago, suggests that the GDPR's implementation has not completely addressed how organisations respond to data leakage," said Wueest.

Of the websites Wueest tested, more than half (57%) send confirmation emails to customers with a direct access link to their booking. This is for the convenience of the customer, giving them a simple link to click straight into their reservation without having to log in.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Because these emails require a static link, the booking reference code and the email are sent in the URL itself. This wouldn't be a problem on its own, but most of the websites load additional content on the same website, such as advertisements, meaning that the direct access is shared, either directly with other resources or indirectly through the referrer field in the HTTP request.

There are other scenarios in which the booking data may also be leaked. Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. In most cases, Wueest found that the booking data remained visible, even if the reservation has been cancelled, offering up a large window of opportunity for hackers to steal personal information.

There were a number of hotel chains suffering data breaches in 2018, such as the Radisson chain, which had its customer's details accessed via its rewards scheme, and Mariott's Starwood Hotel system, which saw a major flaw discovered in its reservation system.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020
Visit/server-storage/high-performance-computing-hpc/355916/inside-the-hawk-supercomputer
high-performance computing (HPC)

AMD virtual tour takes us inside Europe's Hawk supercomputer

4 Jun 2020