Two out of three hotel websites inadvertently leak guests' booking details and personal data to third-party sites, including advertisers and analytics companies, according to research by Symantec Corp.
The study looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties.
Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.
What caused the leaks? More than half (57 percent) of the sites tested send a confirmation email to customers with a direct access link to their booking, Symantec said, which provided for the convenience of the customer, allowing them to simply click on the link and go straight to their reservation without having to log in.
"There are other scenarios in which the booking data may also be leaked," Symantec said. "Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either."
To mitigate the risk, Symantec said, "Booking sites should use encrypted links (HTTPS) and ensure that no credentials are leaked as URL arguments. Customers can check if links are encrypted or if personal data such as their email address is passed as visible data in the URL. They can also use VPN services to minimize their exposure on public hotspots. Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel."
Warren Poschman, senior solutions architect with comforte AG, told Security magazine: “Of late, the hotel industry has been bearing the brunt of many of the data breaches and I expect the trend to not abate any time soon, which is why they need to start taking action now. The problem that hotels have is clearly the large amount of data they have in their data warehouses. Like other softer targets such as localities and state governments, they maintain numerous and detailed information on clientele because they need it. But having lots of data isn’t really the problem – it’s the challenges of the industry. A key issue the hotel industry face is having open systems with large amounts of franchisees. The hotel industry is largely run on a franchise model with each hotel having some latitude on how they run their house with their own local partners while having access to the central systems. This makes the chance of introducing threats and attacks so much more possible than it does in the closed systems of banks and payments and, as the retail and restaurants have found, these threats are hard to contain even with rigorous enforcement of front of house systems. Hotels have a lot of security choices including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls. But, focusing on infrastructure, perimeter and intrusion detection is a losing battle since these measures only protect you from the threats you know about and don’t offer any protection once compromised or circumvented. Furthermore, many of the hotel chains heavily invested in passive, data-at-rest encryption protection for their storage, databases, and data warehouses – which doesn’t address the current threat vectors and is a false sense of security."
"The key is to think about what the attackers are after at the hotel chains – the data warehouse – and how that great resource can be used while preventing abuse," Poschman added. "Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organization and, when an attacker gains access through the perimeter, then the risk that the actual personal data will be exposed is dramatically reduced. Data-centric protection using technologies like tokenization allows the organization to use the protected data for their operations, analytics and data sharing meaning that any exfiltrated data would be useless tokens and not a data breach. Guest safety and privacy has to extend through the full environment, not just the front doors!”