Wednesday 10 April 2019 3:04 pm

Two-thirds of hotel websites leave guests' personal data exposed to hackers

Two-thirds of hotel websites inadvertently leak guests’ personal data to third-party companies and leave customers vulnerable to hackers, a new report has revealed.

Research by cyber security firm Symantec has found the majority of hotels use booking systems that could allow scammers to access information such as mobile phone numbers and passport details.

Read more: Government urges businesses to ramp up cyber security

The report found confirmation emails sent to customers often contain an unsecured direct link to their booking, meaning anyone on the same network could intercept the email and modify or cancel their reservation.

But it could also allow hackers to harvest personal data for use in future scams or extortion.

In addition, the flawed security means third-party sites such as advertisers and analytics companies could view the information.

The security lapses are in breach of the EU’s GDPR laws, which state firms must protect the personal data of customers.

“The fact that this issue exists, despite the GDPR coming into effect in Europe almost one year ago, suggests that the GDPR’s implementation has not completely addressed how organisations respond to data leakage,” said Candid Wueest, principal threat researcher at Symantec.

According to the report, poor security on some websites could enable attackers to carry out so-called brute forcing, allowing them to gain access to multiple bookings.

Through this technique, cyber criminals would be able to work out the booking reference number and log in of any customers just with knowledge of their surname or email address.

Wueest told City A.M. the flaws showed firms still do not fully understand how to comply with data protection laws, and warned they could face fines if caught.

The hospitality sector has been hit with several high-profile cyber security breaches in recent months, with major attacks targeting guests at chains such as Marriott and Hilton.

Read more: A third of small businesses have no cyber security strategy

“Rules regarding GDPR and the security of guests’ information is obviously a priority,” said Kate Nicholls, chief executive of UK Hospitality.

“Customers staying in UK hotels need to feel confident that their details are not going anywhere they shouldn’t. We have not had any feedback from our hotel members that there is an acute problem, but we will be in touch with all our members to provide support and share best practice.”