Two out of three hotel websites are unintentionally leaking guests’ booking details and personal data to third-party sites in a widespread hotel data leak, according to cybersecurity firm Symantec.

Tests on more than 1,500 hotel sites, spanning 54 countries and five continents, showed 67% of them accidentally leaked booking reference codes to third-parties, such as analytics companies and advertisers.

With the booking reference, a hacker could log in to the booking and view personal details that include full name, email address, postal address, mobile phone number, the last four digits of credit card, the card type and expiration date, as well as passport number.

These types of data are invaluable to criminals, who could go on to use them for various types of fraud, or sell the data on the dark web.

Symantec’s principal threat researcher Candid Wueest says that the privacy risk is low, given that the third-party providers are trusted by the websites.

“However, it is concerning that I found more than one-quarter (29%) of the hotel sites did not encrypt the initial link sent in the email that contained the ID,” says Wueest, who lead the research.

“A potential attacker could, therefore, intercept the credentials of the customer who clicks on the HTTP link in the email, for example, to view or modify his or her booking. This may occur at public hotspots such as the airport or the hotel unless the user protects the connection with VPN software.”

Hotel data leak could let hackers locate individuals

Someone in possession of the booking reference could also modify the hotel reservation or cancel it. A hacker could also use access to collect intelligence on an individual’s whereabouts, which could be a threat for high-profile individuals on the move – something that could also lead to a physical threat.

Symantec said that it contacted the affected hotels, but the response was “disappointing”, with 25% of data protection officers not replying within the first six weeks.

Wueest suggests that booking sites should use encrypted links to prevent further leaks.

“Customers can check if links are encrypted or if personal data such as their email address is passed as visible data in the URL,” says Wueest.

“They can also use VPN services to minimize their exposure on public hotspots. Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”

3 Things That Will Change the World Today

The latest hotel data leak shows that the hospitality sector still faces security challenges. Last several hotel chains, including Marriott, came under fire for high-profile data breaches. That’s despite the tougher General Data Protection Regulation coming into force in May 2018 and threatening maximum fines of €20m or 4% of global annual turnover.


Read more: Radisson Hotel hack shows vulnerability of hospitality industry