The hotel industry didn’t get the memo on privacy

Load web pages faster. Stay private. Block ads.Β Get Brave For Free

Poor security practices and the presence of a large number of third-party tracking services on their websites means that as many as two thirds of hotels around the world could leak sensitive personal data of their customers, Symantec has discovered.

Candid Wueest, principal threat researcher with the California-based cybersecurity firm, said in a company blog post that the 1,500 hotels located in 54 countries included in the test ranged from two- to five-star establishments. Regardless of the privacy policy they have in place, 67 percent of these hotels “inadvertently” leak booking reference codes to about a total of 30 advertisers, social networks, search engines, and analytics services.

The personal data exposed in this way ranges from customers' names, postal and email addresses, phone numbers, last four digits of their credit cards, including card type and expiration date, to passport numbers ZDNet is reporting, citing the security blog post.

The vulnerability exists thanks to the hotels' booking websites sending unencrypted links to customers and leaking credentials as URL arguments, which then become available to third party services, allowing them to view personal data, log into reservations, or cancel them – to harm either the travelers, or the establishments' reputation.

The issue is all the more grave as it has been discovered nearly one year after EU's General Data Protection Regulation (GDPR) came into force, designed to counter precisely such scenarios – highlighting once again that companies are either struggling with implementation, or not even trying hard enough.

Start and monetize your own website:
In 30 minutes or less. Build your part of the internet. Today: Free domain name for Reclaim readers. Learn how.

Symantec suggests that the latter may be the case with the hotels affected here, as their response to the report of the problem has been “disappointing.” 25 percent of data privacy officers the security firm informed of the problem did not respond even after six weeks, while those who did took ten days on average, mostly to tell the researcher that they were now aware of the issue and would work to fix it. There were also those who said the leaked data was “not personal at all” – and that it “has to be shared with advertising companies as stated in the privacy policy.”

Symantec observed that while customers can check if links sent to them are encrypted – “for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”

Recently, IP and tech lawyer, Annemarie Bridy, posted on Twitter:

source: annemariebridy

“Just wondering how I can opt out of ⁦@bookingcom⁩’s new policy of sharing my information across its partner companies to give me a β€œbetter experience.” What a joke privacy has become.”

The tweet is in reference to's new update to their privacy policy announcing yet more sharing data with 3rd parties: “…we're going to start sharing information between the Booking Holdings brands for the purposes described in our updated Privacy Statement.”

It seems that travel companies seem to be moving towards more tracking at a time when it's getting scrutinized more than ever.


Use The Fastest Browser That Doesn’t Track You

Blocks ads. Blocks tracking. Keeps you and your data private. Free and open source. Up to 8 times faster page loads than Chrome and Safari. Join the Brave revolution today.

Use Brave To Browse The Web Faster, In Private

Didi Rankovic

Didi Rankovich is an experienced online journalist, editor, and translator, with a career spanning over ten years writing for major a English-language website in Serbia, and previously working as translator for international organizations and peacekeepers in the Balkans. Rankovich is passionate about free and open source tech and is a head contributor for Reclaim The Net, focusing on lead stories. [email protected]