A security flaw in some hotel websites might cause headaches even before your trip starts.
According to a report by security software company Symantec, almost 70% of hotel websites have security flaws that put customer data at risk. The study surveyed over 1500 hotels in 54 countries including the US, Canada and even supposedly GDPR-compliant countries in the EU.
The most common issue involved booking confirmation emails, which often include a link to a website where guests can manage, change or cancel their reservation without having to log in. Many of those links include the guest’s booking code and email, which, by itself, isn’t a big deal. But most hotels share that data with third-party sites like analytics companies or advertisers. According to head researcher Candid Wueest, that’s where a security flaw leaves customer data open to attackers.
Wueest says up to dozens of third-party sites receive your email and booking code embedded within that URL link as part of their normal identification and ad-delivery process when a page is loaded. An attacker with access to those third-party sites could use that info to log into a reservation and see personal details like full name, street address, passport number, credit card details and other sensitive information.
Additionally, some of those links allow the user to make changes to a reservation without needing to log in, so an attacker could simply cancel or modify the reservation, causing huge hassles when you arrive at your destination.
Furthermore, Symantec found that 29% of hotels didn’t encrypt the links, giving attackers even easier access to this information. On public networks, such as hotel Wi-Fi, unencrypted links are exposed to anyone on the network, so an attacker can see unencrypted data transmitted on a public Wi-Fi.
When Symantec reached out to the affected hotels, the majority responded that they were working on finding a fix. Symantec didn’t disclose what specific hotels were found to have security issues.
What you can do to protect yourself
Symantec recommends that customers check to see if booking confirmation links are encrypted (if they feature the HTTPS protocol in the URL, for example), and ensure they don’t have personal data embedded within the URL. If customers need to manage a booking while travelling, they should use a VPN when connected to public Wi-Fi, Symantec says.