Latest in Entertainment

Image credit: jacoblund via Getty Images

Nearly 70 percent of hotel websites leak personal data, Symantec study finds

The study looked at more than 1,500 hotels across 54 countries.
355 Shares
Share
Tweet
Share

Sponsored Links

jacoblund via Getty Images

A security flaw may be hiding in that confirmation email you get after booking a hotel room. A Symantec study of more than 1,500 hotels found that 67 percent of them were unwittingly leaking guests' personal information. The hotels in the study were spread across 54 countries, including the U.S., Canada and even some in the E.U., despite strict GDPR protections. They ran the gamut in quality too, from two-star motels to five-star beach resorts.

The main issue involved booking confirmation emails, according to Symantec principal threat researcher Candid Wueest. Many of the messages include an active link that directs to a separate website where guests can access their reservation having to log in again. The booking code and the guest email are often in the URL itself, which in and of itself isn't a big deal.

But, like many businesses, hotels share your personal data with third parties, meaning that your booking code and email are visible to them as well. The attacker would only need access to your booking code and email in order to find your address, full name, cell phone number, passport number and other highly sensitive information. Symantec also found that a smaller number of hotels didn't encrypt the links sent in confirmation emails, giving attackers another window of opportunity.

A Symantec spokesperson told Engadget that the company contacted the hotels that had the security flaw and that most, but not all, of the hotels were taking measures to fix it. Symantec would not disclose which hotels were named in the study, but said it looked at a total of 45 different websites, including boutique hotels and major chains with hundreds of locations, covering more than 1,500 hotels.

What can customers do in the meantime to guard their privacy? Symantec advises that people use a VPN to change their hotel reservation when connected to public WiFi. Also, you can check the URL of your confirmation link to see if your booking details are exposed. A URL with the security flaw would look like this: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld

Wueest told Engadget in an email that he also looked at five travel search engines, and found similar security flaws. "This (...finding) shows it is a general issue in the travel industry and not just a local issue," he wrote.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
355 Shares
Share
Tweet
Share

Popular on Engadget

Windows users can now log in using Yubico security keys

Windows users can now log in using Yubico security keys

View
Watch NASA's first all-woman spacewalk

Watch NASA's first all-woman spacewalk

View
US military will no longer use floppy disks to coordinate nuke launches

US military will no longer use floppy disks to coordinate nuke launches

View
SpaceX begins construction of its next-generation Starship rockets

SpaceX begins construction of its next-generation Starship rockets

View
Lebanon plans to charge a fee for internet voice calls

Lebanon plans to charge a fee for internet voice calls

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr