A worrying new report has revealed that as many as two-thirds of hotel websites leak guests’ personal details to third-party sites.
The report, by Symnatec, revealed that 67% of hotels in 54 countries are inadvertently leaking personal details - including guest names, email address, phone numbers and even passport numbers.
Candid Wueest, who led the study, said: “While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.”
In the study, the researchers tested a range of hotel websites, ranging from two-star hotels to five-star resorts.
Facebook 'exposed data of more than half a billion on Amazon’s cloud servers'
Mr Wueest said: “Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data.”
This personal data included full names, email addresses, postal addresses, mobile phone numbers, last four digits of credit card, card type, and expiration date, and passport numbers.
The main issue lies in the way that hotels send email confirmations to customers, which allow them to directly access their bookings.
Malware found in Game of Thrones downloads that could 'zombify' your computer
Many sites directly load additional content on the same website as the booking, such adverts, meaning this direct access to bookings can be shared directly with other resources.
In other instances, some sites passed on the personal information during the booking process, while others leaked it when the customer manually logged into the website.
Mr Wueest said: “In most cases, I found that the booking data remains visible, even if the reservation has been canceled, granting an attacker a large window of opportunity to steal personal information.”
Email addresses of a BILLION people leaked in one of biggest ever data breaches
In response to the findings, Symnactec contacted the affected hotels and told them about the findings.
Worryingly, it took the hotels an average of 10 days to reply, and 25% didn’t reply at all within six weeks.
Mr Wueest added: “Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”
