Two in three hotel websites are putting guest’s private data at risk, according to security firm Symantec. The hotels affected a range of hotels, from 5-star beach resorts to 2-star hotels in the countryside.
Data Going to Third-Parties
Symantec’s Principal Threat Researcher Candid Wuesst made the discovery whilst researching potential formjacking attacks on the hotel website. He found:
2 in 3, or 67% of these sites are inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies. All of them did have a privacy policy, but none of them mentioned this behavior explicitly.
He said that ‘some reservation systems were commendable,’ and only revealed the date and numerical value of a stay. However, others leaked personal data including full name, address, credit card information and passport number.
The issue was partly caused by confirmation emails sent to customers. A significant number of hotel sites did not encrypt the link in an email containing the booking ID. Booking references could also be accessed by brute forcing.