Symantec, a cybersecurity software company, conducted research and found that about two-thirds of hotel websites are leaking guests’ personal information to third-party sites.
The research focused on 1,500 hotels in 54 countries that ranged from two-star properties to five-star resorts. Of those studied, 67 percent were found to be leaking guest names, home addresses, email addresses, phone numbers, some credit card information and even passport numbers to third-party sites.
Candid Wueest, who led the study, said: “While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.”
“Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data,” Wueest added.
The way that hotels leaked information varied. Some sites passed on personal details during the booking process or when the traveler logged onto the hotel website. It doesn’t appear that the hotels are always aware of the leak as compromises could occur when a hotel site sent a confirmation email with links that had direct booking information. The reference code attached to the link could be shared with 30 different service providers, social networks, advertising companies and search engines.
Wueest said: “In most cases, I found that the booking data remains visible, even if the reservation has been canceled, granting an attacker a large window of opportunity to steal personal information.”
Symantec notified the hotels of the leaks, and 25 percent of the data privacy officers at those hotels did not reply to the company within six weeks of being notified. Those who replied took an average of 10 days to respond.
Wueest said, “Some admitted that they are still updating their systems to be fully GDPR-compliant.” GDPR refers to General Data Protection Regulation, a European privacy law with strict guidelines for how organizations and businesses deal with data leakage.
“Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel,” Wueest said.