Symantec: Two in Three Hotel Sites Leak Booking Details, Allow Access to Personal Data

NATIONAL REPORT—According to a blog post on cybersecurity software and services company Symantec’s website, two in three hotel websites leak guest booking details and allow access to personal data to third parties.

“While researching possible ‘formjacking’ attacks on hotel websites recently, I stumbled across a separate issue that could potentially leak my and other guests’ personal data,” Candid Wueest, principal threat researcher with Symantec’s security technology and response (STAR) division, wrote in the post. “I tested multiple websites—including more than 1,500 hotels in 54 countries—to determine how common this privacy issue is. I found that two in three, or 67%, of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly.”

The information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether.

Wueest tested sites ranging from two-star hotels in the countryside to luxurious five-star resorts on the beach. “Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations,” he wrote. “Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain.”

The leaked information:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last four digits of credit card, card type, and expiration date
  • Passport number

Given these findings, Lisa Baergen, VP of marketing for NuData Security, a Mastercard company, said hospitality companies need to step up their security measures. “User experience and security still seem to be at odds for many hospitality websites. In an effort to make information easily accessible to third parties and customers, some companies lower their security measures that expose customer data. Hotels and other hospitality companies should work on securing their digital supply chains, reassess the security measures protecting their customer’s data and have post-breach processes ready.”

She continued, “After a breach happens, hospitality companies need to be ready to mitigate the damages by correctly authenticating their good users despite hackers potentially leveraging stolen credentials. This sort of data exposure is why so many organizations—from the hospitality sector through to eCommerce companies, financial institutions and major retailers—are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior, thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”