Cyber security experts have raised privacy fears over the potential for data breaches in the government’s plan to make pubs and restaurants keep a register of all visitors.
Under new rules laid out yesterday, all hospitality venues must keep a guest register to record the contact details of visitors for 21 days to help track and trace coronavirus infections.
The method of collection for this data has not been determined, though the government has suggested utilising the booking systems already present in restaurants or hairdressers to help keep track of customer details.
“The reality is that we already give up a lot of our data to the hospitality industry. Whenever we pay in pubs and restaurants using debit cards and card machines, when we have our ID scanned upon entry and when we purchase from food delivery apps,” said cyber security firm Darktrace’s director of technology, Dave Palmer.
“Formalised guest registry is, however, a new data point and may cause concerns for exploitation if hackers could reveal lifestyle choices that patrons would rather not publicise.”
Similar recommendations for collecting information from visitors were introduced in the US earlier this year. Businesses largely turned to pen and paper, which could prompt issues if that data then needs to be passed on to the NHS Test and Trace scheme.
David Warburton, a senior threat research evangelist at F5, warned that punters could provide false names or bogus addresses to avoid being tracked, which would pose significant problems for infection tracing.
“The likelihood will be that iPads and spreadsheets will be used for simplicity. There’s a high chance these systems will have little to no authentication attached to them, and will be stored on cloud platforms which can all too easily be made public accidentally,” he said.
“It would therefore not be surprising if many of these lists ended up being exposed in data breaches over the coming months, as regular scanning of open storage systems by bad actors is continuous.”
He added: “By combining multiple data breaches of visitors to various establishments, hackers could retrospectively build a record of their movements and even who they were with at the time.”
Those venues that do not have booking systems already set up will need to establish one before businesses are allowed to reopen on 4 July.
Hospitality executives have already called for further clarification from the government to ensure that the right processes can be implemented with minimal logistical or data trouble.
“If pubs and restaurants are required to collect data from visitors, clear data protection challenges arise,” said Tim Hickman, data protection expert and partner at law firm White & Case.
“Many pubs and restaurants have no existing infrastructure to support data collection on this scale. Implementing suitable systems will take time, and require investment that many venue operators may not be able to afford in the present circumstances.”
UK Hospitality chief executive Kate Nicholls said that trade bodies will do what they can to support businesses with aiding the test and trace system while preparing to reopen.
“The safety of staff and customers is the number one priority for our sector. We know that businesses will endeavour to assist with measures that allow them to reopen and to support public health objectives,” she added.
A spokesperson for the Prime Minister said today: “People are very familiar with giving their contact details to the sorts of places you described — restaurants, pubs, hairdressers and others — in order to make appointments so that’s not new. We said we will work with businesses though to make sure that they can implement this in a secure way.”
“It’s worth pointing out that this system is already in place in a number of countries which have some of the strictest privacy rules in the world and which are subject to GDPR regulations.”