A research study by Symantec Corp of 1,500 hotel websites in 54 countries was recently released. The study took a look at two-star to five-star hotels across the world, with booking details and personal data as the point of interest.
The study comes just months after one of the biggest data breaches in history was confirmed by Marriot International, who was not included in Symantec’s study.
The type of information Symantec sought was the personal information of guests, including full names, credit card details, email addresses, postal addresses, mobile phone number and passport numbers. The study found that two in three hotel websites are leaking booking reference codes to third-party sites.
Symantec noted that it cybercriminals would be “interested in the movements of influential business professionals and government employees.”
For example, as noted by the study’s lead research Candid Wueest, the shared information could allow hackers to log into a reservation to review details and even cancel bookings.
The research found that the weak points in the hotel website booking process occurred when the hotel would send confirmation emails with a link to direct booking information. The reference code could be shared with more than 30 different difference service providers, including search engines, social networks and ad services.
The study found that nearly one in three hotel sites didn’t encrypt the initial link sent in an email containing ID. This leaves the customer vulnerable to hackers who can manipulate the email to gain credentials.
For many hotels in Europe, they are still coming to terms with Europe’s new privacy law, called the General Data Protection Regulation (GDPR). The GDPR outlines data leakage guidelines which went into effect a year ago.
However, the Symantec study found that many European hotels are lagging in their GDPR-compliant update process, leaving their data leak soft spots exposed.