Symantec: Majority of hotels inadvertently leak customers’ personal data

Symantec reported on Wednesday (April.10th), via a blog post, that the hospitality industry is still vulnerable to cyber-attacks.

According to Symantec, two in three hotel booking sites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers.

The study, which reviewed more than 1,500 hotel websites in 54 different countries, comes several months after Marriott International fell victim to one of the worst data breaches ever recorded.

Symantec’s study

Symantec said Marriott was not included in their study.

According to the study, personally identifiable information – such as full names, email addresses, postal addresses, mobile phone number, credit card, and passport number – were among the list of data leaked.

This information is a potential goldmine for cybercriminals who are interested in the movements of business professionals and government employees, Symantec said.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Candid Wueest, the primary researcher on the study.

Email confirmations

The research showed compromises usually occur when a hotel site sends confirmation emails to customers with a direct access link to their booking.

The reference code attached to the link could be shared with more than 30 different service providers, including well-known social media sites, search engines, and advertisement and analytics services.

This information could allow others to log into a reservation, view personal details, and even cancel the booking altogether.

Wueest said 25% of data privacy officers failed to reply within six weeks when notified about the issue. Of those who did respond, it took them an average of 10 days.

“Some admitted that they are still updating their systems to be fully GDPR-compliant,” Wueest said.

Related Posts