Hotels were created to provide a place to rest away from home but, more often than not, the booking process itself can be quite stressful. As if that weren’t bad enough, it seems that more than half of the hotels that let you book online might make you want to reconsider. A security researcher has just discovered that two out of three hotels across the world have very little security in place to protect their patron’s data, making them easy pickings not just for advertisers but also for criminals.
To be fair, the hotels might not really be engaged in outright or conscious illegal activities. Instead, it might simply be due to carelessness, ignorance, or apathy for proper data security practices. That despite the fact that laws like Europe’s General Data Protection Regulation went into effect last year.
Symantec principal threat researcher Candid Wuesst tested 1,500 hotels in 54 countries and discovered that about 67% of them exhibited this problem. In a nutshell, the confirmation links they send via email allows anyone who has that link to view booking details and, with a little fudging, even personal details of the person who made the reservation.
Complicating matters is that these hotel websites often use third-party services for analytics or advertisements. These third-parties receive the direct access link in full, which means anyone inside the company with less than innocent intent could, in effect, log into the reservation and even cancel it. However, some sites retain the user’s information even after the booking was canceled.
When informed of the situation, few hotels replied in time. Some of those that did weren’t even aware of such security holes either in their system or from third-party providers. While there may be ways for people to protect themselves, those go beyond their means or knowledge. It is something that has to be fixed on the hotels’ end but, unfortunately, it seems that even the GDPR hammer isn’t strong enough to make them fall in line.