Symantec Threat Intelligence: Two in Three Hotel Websites Leak Guest Booking Details
Hospitality services’ websites may leak your booking details, allowing others to view your personal data or even cancel
your reservation.
Based on an analysis of more than 1,500 hotels in 54 countries spread across five continents, Symantec discovered that
two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites,
including advertisers and analytics companies. With the one-year anniversary of the GDPR just next month, the findings
call into question just how much the policy’s implementation has addressed the ways in which organisations handle data
leakage.
Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not
divulge any personal information. But the majority leaked personal data, such as:
• Full name
• Email address
• Postal address
• Mobile phone number
• Last four digits of credit card, card type, and expiration date
• Passport number
What are the risks?
The 2018 Norton LifeLock Cyber Safety Insights Report recently revealed consumers are concerned about their privacy (83 percent), but most say they accept certain risks to
make life more convenient (61 percent).
Many individuals regularly share details of their travels by posting photos on social media networks. Some don't even
bother blurring out the booking reference of their tickets. These individuals may not be too concerned about their
privacy and may actually want their followers to know about their whereabouts.
An attacker might decide to cancel a reservation just for fun or as personal revenge, but it could also be to damage the
reputation of a hotel as part of an extortion scheme or as an act of sabotage carried out by a competitor.
To read the full Threat Intelligence Report please go to https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data