Symantec, a cybersecurity software company found that about two-thirds of hotel leaks guests’ personal information to third-party sites.
The research was focused on 1,500 hotels in 54 countries from two-star properties to five-star hotels. 67 percent were found to be leaking guest names, home addresses, email addresses, phone numbers, some credit card information and even passport numbers to third-party sites.
Person, who led the study, said: “While it is no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.”
Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information.
The way that hotels leaked information varied. Some sites passed on personal details during the booking process or when the traveler logged onto the hotel website. It does not appear that the hotels are always aware of the leak as compromises could occur when a hotel site sent a confirmation email with links that had direct booking information. The reference code attached to the link could be shared with 30 different service providers, social networks, advertising companies and search engines.
In most cases, the research found that the booking data remains visible, even if the reservation has been canceled, granting an attacker a large window of opportunity to steal personal information.
Symantec notified the hotels of the leaks, and 25 percent of the data privacy officers at those hotels did not reply to the company within six weeks of being notified. Those who replied took an average of 10 days to respond.
Some admitted that they are still updating their systems to be fully GDPR-compliant. GDPR refers to General Data Protection Regulation, a European privacy law with strict guidelines for how organizations and businesses deal with data leakage.