Information that people submit when making an online hotel reservation is often available in its entirety to a lot more parties than just the hotel itself.
New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.
Guest information available to such parties includes full name, address, mobile phone number, passport number, and the last four digits of credit card numbers.
Candid Wueest, a threat researcher at Symantec tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them—67%—were inadvertently leaking booking reference codes with third-party sites. "The information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," he said in a report Wednesday.
Nearly six-in-10 (57%) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.
Since the emails use a static link, the booking reference code and the guest's email are contained in the URL itself. What makes this an issue is the fact that many hotels load additional content, such as advertisements, on the same booking overview page.
Wueest's research showed that some hotels in fact share the booking reference code with as many as 30 different third parties, including social networks, search engines, analytics and advertisement services.
In many cases, guest booking information remained available on the hotel website and accessible via the email link even after a customer canceled the reservation.
Emails with direct links are not the only problem. Some hotel websites in Wueest's study leaked guest information with online partners during the booking process itself, while others leaked it when customers logged in to their reservation page.
In addition, nearly 30% of the sites did not encrypt the links they send in the email for customers to access reservation information. This gives attackers a way to potentially intercept the link and to view or modify a booking. Such an attack would be feasible in public hotspots such as those in an airport or a hotel.
Privacy and Compliance Risks
For consumers, the key takeaway is that personal information including their full name, home address, email address, credit card details, and passport number might not be kept private when booking hotels, Wueest says.
"The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the [EU General Data Protection Regulation] coming into effect in Europe almost one year ago," he says.
GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest notes.
Technically at least hotel websites and operators can detect if any of their trusted partners are using their access to actually view guest reservation information. A hotel for instance could check its web server access log to see if there are many different logins from a single IP, Wueest says. "But it’s doubtful that there are alerts in place to automatically detect this in all hotels," he says.
Hotel operators are not the only ones guilty of such inadvertent data leaks. A report by Wandera earlier this year showed many airline companies are putting passenger data at risk by sending them similarly unencrypted links to check-in for flights. The links give attackers a way to view and change passenger details and to print the boarding passes, Wandera found.
Hotels and booking services need to review their online reservation processes and ensure they are compliant with applicable laws, Wueest says. "Sites should use encrypted links and ensure that no credentials are leaked as URL arguments, for example by using cookies," as permitted by privacy laws, he says. "This is notably a developer issue."
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.