Two out of every three hotel websites are inadvertently leaking a torrent of guest information to third-parties giving these agencies the power to view, change, or cancel bookings, researchers have discovered.
Cybersecurity researchers from Symantec said on Wednesday that in a study of over 1,500 hotels in 54 countries, the team found that 67 percent of the hotels' websites included leaked booking reference codes and more to advertising networks and analytics companies.
Symantec says that this information -- likely but inadvertently shared during user advert tracking processes -- could allow these third-parties not only to access guest information, but also log into reservations, view sensitive details, and "even cancel bookings altogether."
The hotels ranged from two-star hotels in remote, countryside areas to five-star resorts. Hotel chains were also involved in the security lapse.
While a fraction of hotels only leaked numerical values and reservation dates, the majority leaked a far wider range of customer information, including full names, email addresses, physical addresses, and phone numbers.
In addition, some hotels leaked passport numbers and financial details including the last four digits of credit cards, card types, and expiration dates.
Symantec further added that 57 percent of the hotels included in the study send an email with a direct booking link to customers, but as many hotel websites implemented advert-related content on their website pages, over 30 service providers can also obtain this link.
Over 176 requests were generated per booking on average and the static links used could result in these direct booking details being available to advertisers, analytics firms, search engines, and social networks.
"There are other scenarios in which the booking data may also be leaked," the cybersecurity firm says. "Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either."
The team also found a number of other security lapses. In total, 29 percent of hotels did not encrypt initial links containing booking IDs and references to customers -- which could permit threat actors to eavesdrop and steal these details -- and multiple website booking systems were susceptible to brute-force attacks.
Now that the EU's General Data Protection Regulation (GDPR) is in force, hotels -- as any other business in the region -- need to maintain a firm grip on their data collection, storage, and processing.
Symantec says that many of the hotels affected by this issue "have been very slow to acknowledge, much less address, it," with 25 percent of the hotel's privacy officers failing to respond to the researchers' findings within six weeks. Those who did respond took an average of 10 days to do so.
"The fact that this issue exists, despite the GDPR coming into effect in Europe almost one year ago, suggests that the GDPR's implementation has not completely addressed how organizations respond to data leakage," Symantec added. "More than 200,000 cases of GDPR violations, complaints, and data breaches have been reported so far, and users' personal data remains at risk."
We've seen what can happen when security lapses or cyberattacks impact hotels. Last year, Marriott revealed a severe data breach in which cyberattackers had been able to maintain access to guest databases since 2014, impacting an estimated 500 million customers. However, Marriott was not involved in the most recent study.