2 in 3 Hotels Websites’ Leak User Data

Data Leak

Two in three hotel websites are putting guest’s private data at risk, according to security firm Symantec. The hotels affected a range of hotels, from 5-star beach resorts to 2-star hotels in the countryside.

Data Leak

Data Going to Third-Parties

Symantec’s Principal Threat Researcher Candid Wuesst made the discovery whilst researching potential formjacking attacks on the hotel website. He found:

2 in 3, or 67% of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly.

He said that ‘some reservation systems were commendable,’ and only revealed the date and numerical value of a stay. However, others leaked personal data including full name, address, credit card information and passport number.

The issue was partly caused by confirmation emails sent to customers. A significant number of hotel sites did not encrypt the link in an email containing the booking ID. Booking references could also be accessed by brute forcing.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.