Hotel Booking Data Chronically Leaked

A threat researcher tested websites of more than 1500 hotels, ranging from modest economy venues to five-star hotels and found that two-thirds of them are leaking “booking reference codes to third-party sites such as advertisers and analytics companies.” In most cases, says Symantec researcher Candid Wueest, this would also divulge personal data – name, email and snail mail address, phone number, last four digits and expiration date of credit card, and passport number. Wueest explains how this works technically, and how this information can be used in ways ranging from mischief – e.g. canceling your reservation – to becoming grist for an extortion or identity theft scheme.
In addition to being a security issue for consumers, this is a GDPR issue for the hotels and the hotel chains. Wueest says he contacted data privacy officers in organizations that had problems, and their response overall “was disappointing.” Some said the data had to be shared with advertising companies per their privacy policy. Others were slow to respond or didn’t respond, period, although some did say they were committed to improving their systems or that they are still updating their systems to be GDPR-compliant. Hotel comparison websites and booking engines, says Wueest, “appear to be slightly more secure.”