Report: Two-thirds of hotel websites leak guest booking details

New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data through third-party advertisers, social media websites, data aggregators and other partners.

Guest information available to such parties includes full name, address, mobile phone number, passport number and the last four digits of credit card numbers.

Candid Wueest, a threat researcher at Symantec, tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them (67 percent) were inadvertently leaking booking reference codes through third-party sites. 

“The information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” he said in a report.

Nearly six in 10 (57 percent) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.

Photo credit: Symantec

Booking websites also utilize third-party analytics tools, which are only activated by contacting third-party servers. This typically is done behind the scenes, but in this case, the direct-access URL is passed on to third parties, meaning anyone at this external organization could obtain sight of your booking and the data contained within.

The company says that almost all useful personal information could be at risk from such attacks, from full name and email address to credit card details and passport number. 

Symantec also found that many websites allow brute forcing of the booking reference entry system because in many cases, the booking reference code is simply carried over from one booking to the next. This means that if the attacker knows the email or the last name of the customer, he or she can guess that customer’s booking reference number and log in.

“While it's no secret that advertisers are tracking users' browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether,” Wueest wrote in a blog post outlining the findings.

Unfortunately, this practice is not unique to the hospitality sector. Inadvertent sharing of sensitive information over URL arguments or in the referrer field is prevalent among websites. In the past few years, Wueest said he has seen similar issues with multiple airlines, holiday attractions and other websites. Other researchers reported similar issues in February where unencrypted links were used across multiple airline service providers.

Resolving the Issue

Under the General Data Protection Regulation, the personal data of individuals in the European Union must be better protected in light of such issues. However, the affected hotels' response to my findings was disappointing, Wueest wrote. 

“I contacted the data privacy officers of the affected hotels and informed them of my findings,” he said. “A surprising 25 percent of DPOs did not reply within six weeks. One email bounced, as the email address in the privacy policy was no longer active. Of those who did respond, it took them an average of 10 days.”

Those who did respond mainly confirmed receiving the inquiry and committed to investigating the issue and implementing any necessary changes. Some argued that it wasn't personal data at all and that the data has to be shared with advertising companies as stated in the privacy policy. Some admitted that they are still updating their systems to be fully GDPR-compliant. 

Other hotels that use external services for their booking systems became concerned that service providers turned out not to be GDPR-compliant after all, indicating the hotels may not have conducted proper vetting of their service booking partners per GDPR requirements, according to the report.

“The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the GDPR coming into effect in Europe almost one year ago,” he said.

GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest noted.

Technically, at least, hotel websites and operators can detect if any of their partners are using their access to actually view guest reservation information. For instance, a hotel could check its web server access log to see if there are many different logins from a single IP, Wueest said. “But it’s doubtful that there are alerts in place to automatically detect this in all hotels,” he said.