This article originally appeared in SiliconANGLE on April 10, 2019.
New research from Symantec Corp. has found that two out of every three hotel websites leak guest booking details to third-party sites.
The research, which looked at more than 1,500 hotel websites in 54 countries covering a full range of hotel types found that the hotel websites leaking data in multiple ways, including via third-party advertisers, social media websites, data aggregators and other partners.
Data regularly leaked included full name, address, mobile phone number, passport number and the last four digits of credit card numbers.
The way the data is leaked was often directly. Some 57% of hotels tested were found to leak the information by sending confirmation of bookings to guests with the URL including both the booking code and guest email address. “This is provided for the convenience of the customer, allowing them to simply click on the link and go straight to their reservation without having to log in,” the report noted.
The problem arises as that when a guest clicks on the link any third-party provider of ads or services the hotel is using on their site gains access to both the booking number and guest’s email address. Worse still, having obtained the direct access URL, anyone with it would also obtain access to the guest’s personal information without being required to log in.
How many third parties receive the information is notable as well. The research found that third parties generate an average of 176 requests per booking, with as many as 30 different companies obtaining the information.
Along with the risk presented by booking confirmations, 30% of hotel sites were found to not encrypt the links they send in booking confirmation emails, giving attackers a potential way to intercept the link and view or even change a booking.
Chris Olson, chief executive officer of The Media Trust, told SiliconANGLE that most website owners and operators don’t in fact know how their websites work and who’s working on them.
“Anywhere from 50 to 95% of code that runs on them are executing outside of the company’s IT infrastructure because they are coming from third parties,” Olson explained. “Most pages where consumers enter their personal and payment information are operated by third parties, who have their own share of vendors executing code.”
Most of these sites have more than 100 direct and indirect third parties, and the majority of these third parties are unknown to the website owners, he added. “If you don’t know who you’re doing business with on your website, you can’t possibly control what they do to your site users and those users’ sensitive information.”