2 in 3 Hotels Websites’ Leak User Data

Data Leak

Two in three hotel websites are putting guest’s private data at risk, according to security firm Symantec. The hotels affected a range of hotels, from 5-star beach resorts to 2-star hotels in the countryside.

Data Leak

Data Going to Third-Parties

Symantec’s Principal Threat Researcher Candid Wuesst made the discovery whilst researching potential formjacking attacks on the hotel website. He found:

2 in 3, or 67% of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly.

He said that ‘some reservation systems were commendable,’ and only revealed the date and numerical value of a stay. However, others leaked personal data including full name, address, credit card information and passport number.

The issue was partly caused by confirmation emails sent to customers. A significant number of hotel sites did not encrypt the link in an email containing the booking ID. Booking references could also be accessed by brute forcing.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments