Two out of three hotel websites leak guest booking details

Cybersecurity expert at Symantec reveals that hotels are sharing private information with multiple parties

Is your hotel exposing you to bad actors?
Is your hotel exposing you to bad actors?

Hotel websites may be leaking your booking details, allowing others to view your personal data or even cancel your reservation.

Candid Wueest, a cybersecurity expert at Symantec, tested multiple websites, including more than 1,500 hotels in 54 countries, including the Middle East, to determine how seriously they take customer privacy.

He found that two in three, or 67%, of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behaviour explicitly, he revealed in a blog posting.

While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.

Some reservation systems only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data, such as: full name, email address, postal address, mobile phone number, last four digits of credit card, card type, and expiration date, and passport number.

What causes these leaks?

More than half (57%) of the sites Wueest tested send a confirmation email to customers with a direct access link to their booking. This is provided for the convenience of the customer, allowing them to simply click on the link and go straight to their reservation without having to log in.

Since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself. On its own, this would not be an issue. However, many sites directly load additional content on the same website such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. Wueest’s tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.

As mentioned, the same data is also in the referrer field, which will be sent along by the browser in most cases. This results in the reference code being shared with more than 30 different service providers, including well-known social networks, search engines, and advertisement and analytics services. This information could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.

Despite GDPR coming into effect in Europe almost one year ago, the law’s implementation has not completely addressed how organisations respond to data leakage. More than 200,000 cases of GDPR violations, complaints and data breaches have been reported so far, and users’ personal data remains at risk.

Most Popular

Digital Edition

Subscribe today and get your copy of the magazine for free