Two-thirds of hotel websites leak guests' booking and personal details

A worrying new report has revealed that as many as two-thirds of hotel websites leak guests’ personal details to third-party sites.

The report, by Symnatec, revealed that 67 per cent of hotels in 54 countries are inadvertently leaking personal details - including guest names, email address, phone numbers and even passport numbers.

Candid Wueest, who led the study, said: “While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.”

In the study, the researchers tested a range of hotel websites, ranging from two-star hotels to five-star resorts.

Mr Wueest said: “Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data.”

.

Keep Reading business

•  SIB partners with CISI to elevate professional standards and enhance financial advisory skills among staff
•  Angola ICT Minister: Invest in space industry to ensure a connected, peaceful Africa
•  NCPB sets in motion plans to compensate farmers for fake fertiliser
•  Governors reject revenue Bill, demand Sh439.5 billion allocation
•  Firm linked to fake fertiliser calls for arrest of Linturi, NCPB boss Premium

This personal data included full names, email addresses, postal addresses, mobile phone numbers, last four digits of credit card, card type, and expiration date, and passport numbers.

The main issue lies in the way that hotels send email confirmations to customers, which allow them to directly access their bookings.

Many sites directly load additional content on the same website as the booking, such adverts, meaning this direct access to bookings can be shared directly with other resources.

In other instances, some sites passed on the personal information during the booking process, while others leaked it when the customer manually logged into the website.

Mr Wueest said: “In most cases, I found that the booking data remains visible, even if the reservation has been canceled, granting an attacker a large window of opportunity to steal personal information.”

In response to the findings, Symnactec contacted the affected hotels and told them about the findings.

Worryingly, it took the hotels an average of 10 days to reply, and 25 per cent didn’t reply at all within six weeks.

Mr Wueest added: “Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”