Two-thirds of hotel websites leak guests’ booking information, according to a new security report.
Last November, Marriott International revealed it had experienced one of the biggest breaches in history, exposing data from 500 million guest records.
But a study from the cybersecurity firm Symantec released on Thursday shows it’s not just Marriott guests that need to be concerned about their data.
Symantec threat researcher Candid Wueest analysed 1,500 hotel websites across 54 countries, spanning two-star to five-star-rated hotels. He discovered that two out of three hotel sites inadvertently leak personal information and booking data to third-party entities, including analytics and ad companies.
The main issue the researcher discovered was the hotels’ practice of including a direct access link in the confirmation emails sent to guests. In 57 per cent of the hotel sites that the researchers tested, a link in the email lead directly to the reservation without requiring authentication. Therefore, anyone with the URL link can access the customer’s information.
Since these websites have content from advertisers and analytics tools, those third-party entities could access the URL that shows customer information.
“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” Wueest writes in the report.
The researcher also found that some hotel sites were vulnerable to brute force attacks, in which the hacker tries multiple combinations of a booking reference, usually through a machine that does it automatically. For some websites, he did not even need a name or email, just a reference code.
“I found multiple examples of these coding mistakes, which would have allowed me to not only access all active reservations for a large hotel chain, but also view every valid flight ticket of an international airline,” Wueest wrote.
He suggested such brute force attacks could be useful to a hacker who wants to target the people at a particular hotel conference.
Wueest said in the report that he alerted every hotel of the issue, and 25 per cent of the hotel’s data privacy officers did not respond. On average, the officers who did respond took 10 days to do so. Some hotel representatives apparently pushed back and said the data in question should be shared with ad companies, as is mentioned in their privacy policy.