Nearly 70 percent of hotel websites leak personal data, Symantec study finds

The study looked at more than 1,500 hotels across 54 countries.

A security flaw may be hiding in that confirmation email you get after booking a hotel room. A Symantec study of more than 1,500 hotels found that 67 percent of them were unwittingly leaking guests' personal information. The hotels in the study were spread across 54 countries, including the U.S., Canada and even some in the E.U., despite strict GDPR protections. They ran the gamut in quality too, from two-star motels to five-star beach resorts.

The main issue involved booking confirmation emails, according to Symantec principal threat researcher Candid Wueest. Many of the messages include an active link that directs to a separate website where guests can access their reservation having to log in again. The booking code and the guest email are often in the URL itself, which in and of itself isn't a big deal.

But, like many businesses, hotels share your personal data with third parties, meaning that your booking code and email are visible to them as well. The attacker would only need access to your booking code and email in order to find your address, full name, cell phone number, passport number and other highly sensitive information. Symantec also found that a smaller number of hotels didn't encrypt the links sent in confirmation emails, giving attackers another window of opportunity.

A Symantec spokesperson told Engadget that the company contacted the hotels that had the security flaw and that most, but not all, of the hotels were taking measures to fix it. Symantec would not disclose which hotels were named in the study, but said it looked at a total of 45 different websites, including boutique hotels and major chains with hundreds of locations, covering more than 1,500 hotels.

What can customers do in the meantime to guard their privacy? Symantec advises that people use a VPN to change their hotel reservation when connected to public WiFi. Also, you can check the URL of your confirmation link to see if your booking details are exposed. A URL with the security flaw would look like this: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld

Wueest told Engadget in an email that he also looked at five travel search engines, and found similar security flaws. "This (...finding) shows it is a general issue in the travel industry and not just a local issue," he wrote.