large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Researcher finds over two thirds of hotel websites leak personal data

The old-fashioned way in which hotels send email confirmations is leading to the leak of guests’ personal data in 67% of test cases, Symantec has discovered.

Candid Wueest, principal threat researcher at Symantec, used 45 different websites covering more than 1500 hotels across 54 countries and found that the over two-thirds of them were leaking key data to third-party sites, which would said third parties to log in, view personal information and cancel bookings. The personal information would contain things like full name, email address, postal address, mobile phone number, limited credit card information and passport numbers.

It’s all thanks to a well-meaning but worrying convenience for the customer. Confirmation emails tend to provide a direct link to their booking, and this will include their email address and booking number. Something like: “https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld

But as we all know – or should know – browser data isn’t just between you and the website, and myriad analytics, advertising and tracking companies are also party to the URL which reveals the data. In fact, Wueest wrote that his tests showed an average of 176 requests are generated per booking.

Related: Best free antivirus

As he explained, there was no correlation with price or hotel quality on how secure they were. “The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach,” he wrote. “Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations. Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain.”

You may consider this to be pretty low risk, given the third-party service providers are presumably trusted by the hotel sites. But it’s not quite as simple as that: “It is concerning that I found more than one-quarter (29%) of the hotel sites did not encrypt the initial link sent in the email that contained the ID,” Wueest wrote.

“A potential attacker could therefore intercept the credentials of the customer who clicks on the HTTP link in the email, for example, to view or modify his or her booking. This may occur at public hotspots such as the airport or the hotel, unless the user protects the connection with VPN software.”

Related: Best VPN

You can read the full findings on the Symantec website.

Are you worried about this, or does it seem a remote security risk in the greater scheme of things? Let us know what you think on Twitter: @TrustedReviews.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.