Researcher finds over two thirds of hotel websites leak personal data

The old-fashioned way in which hotels send email confirmations is leading to the leak of guests’ personal data in 67% of test cases, Symantec has discovered.

Candid Wueest, principal threat researcher at Symantec, used 45 different websites covering more than 1500 hotels across 54 countries and found that the over two-thirds of them were leaking key data to third-party sites, which would said third parties to log in, view personal information and cancel bookings. The personal information would contain things like full name, email address, postal address, mobile phone number, limited credit card information and passport numbers.

It’s all thanks to a well-meaning but worrying convenience for the customer. Confirmation emails tend to provide a direct link to their booking, and this will include their email address and booking number. Something like: “https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld”

But as we all know – or should know – browser data isn’t just between you and the website, and myriad analytics, advertising and tracking companies are also party to the URL which reveals the data. In fact, Wueest wrote that his tests showed an average of 176 requests are generated per booking.

Related: Best free antivirus

As he explained, there was no correlation with price or hotel quality on how secure they were. “The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach,” he wrote. “Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations. Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain.”

You may consider this to be pretty low risk, given the third-party service providers are presumably trusted by the hotel sites. But it’s not quite as simple as that: “It is concerning that I found more than one-quarter (29%) of the hotel sites did not encrypt the initial link sent in the email that contained the ID,” Wueest wrote.

“A potential attacker could therefore intercept the credentials of the customer who clicks on the HTTP link in the email, for example, to view or modify his or her booking. This may occur at public hotspots such as the airport or the hotel, unless the user protects the connection with VPN software.”

Related: Best VPN

You can read the full findings on the Symantec website.

Are you worried about this, or does it seem a remote security risk in the greater scheme of things? Let us know what you think on Twitter: @TrustedReviews.