NATIONAL REPORT—According to a blog post on cybersecurity software and services company Symantec’s website, two in three hotel websites leak guest booking details and allow access to personal data to third parties.
The information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether.
Wueest tested sites ranging from two-star hotels in the countryside to luxurious five-star resorts on the beach. “Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations,” he wrote. “Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain.”
The leaked information:
- Full name
- Email address
- Postal address
- Mobile phone number
- Last four digits of credit card, card type, and expiration date
- Passport number
Given these findings, Lisa Baergen, VP of marketing for NuData Security, a Mastercard company, said hospitality companies need to step up their security measures. “User experience and security still seem to be at odds for many hospitality websites. In an effort to make information easily accessible to third parties and customers, some companies lower their security measures that expose customer data. Hotels and other hospitality companies should work on securing their digital supply chains, reassess the security measures protecting their customer’s data and have post-breach processes ready.”
She continued, “After a breach happens, hospitality companies need to be ready to mitigate the damages by correctly authenticating their good users despite hackers potentially leveraging stolen credentials. This sort of data exposure is why so many organizations—from the hospitality sector through to eCommerce companies, financial institutions and major retailers—are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior, thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”