Two in three hotel websites leak guest info

New research has revealed the true extent of the industry’s internet security flaws.

After testing more than 1,500 hotels in 54 countries, a researcher at Symantec found that 67 percent of hotel websites were leaking booking reference codes to third-party sites.

The majority of these sites leaked personal data such as:
• Full name
• Email address
• Postal address
• Mobile phone number
• Last four digits of credit card
• Passport number

The reason?
“More than half of the sites I tested send a confirmation email to customers with a direct access link to their booking,” said Candid Wueest, principal threat researcher, Symantec.

While this is useful and convenient for customers, when customers click the booking link in their email the information is often also shared with other service providers on the site, such as advertisers, social networks, search engines and analytics services.

Another issue Wueest found was hotel websites being vulnerable to brute force - allowing attackers to repeatedly guess booking numbers until they guess one correctly.