Poor security practices and the presence of a large number of third-party tracking services on their websites means that as many as two thirds of hotels around the world could leak sensitive personal data of their customers, Symantec has discovered.
The personal data exposed in this way ranges from customers’ names, postal and email addresses, phone numbers, last four digits of their credit cards, including card type and expiration date, to passport numbers ZDNet is reporting, citing the security blog post.
The vulnerability exists thanks to the hotels’ booking websites sending unencrypted links to customers and leaking credentials as URL arguments, which then become available to third party services, allowing them to view personal data, log into reservations, or cancel them – to harm either the travelers, or the establishments’ reputation.
The issue is all the more grave as it has been discovered nearly one year after EU’s General Data Protection Regulation (GDPR) came into force, designed to counter precisely such scenarios – highlighting once again that companies are either struggling with implementation, or not even trying hard enough.
Symantec observed that while customers can check if links sent to them are encrypted – “for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”
Recently, IP and tech lawyer, Annemarie Bridy, posted on Twitter:
“Just wondering how I can opt out of @bookingcom’s new policy of sharing my information across its partner companies to give me a “better experience.” What a joke privacy has become.”
It seems that travel companies seem to be moving towards more tracking at a time when it’s getting scrutinized more than ever.