Hotels were created to provide a place to rest away from home, but more often than not the reservation process itself can be quite stressful. As if that weren’t enough, it seems more than half of the hotels that let you book online might make you want to reconsider. A security researcher has just found that two out of three hotels in the world have very little security in place to protect their guest’s data, making them easy choices not only for advertisers but also for criminals.
To be fair, hotels might not be really involved in outright illegal activities. Instead, it could simply be due to carelessness, ignorance, or apathy for good data security practices. This is despite the fact that laws like the European General Data Protection Regulation entered into force last year.
Candid Wuesst, senior threat researcher at Symantec, tested 1,500 hotels in 54 countries and found that approximately 67% of them had this problem. In a nutshell, the confirmation links they email out allow anyone with that link to view the details of the booking and, with a bit of falsification, even the personal details of the person who made it. the reservation.
To complicate matters, these hotel websites often use third-party services for analysis or advertising. These third parties receive the direct access link in its entirety, which means that anyone inside the company with a less than innocent intention could, in effect, log into the reservation and even cancel it. However, some sites retain user information even after the reservation is canceled.
Informed of the situation, few hotels responded in time. Some of those who did were not even aware of these security holes, either in their system or with third-party vendors. While there may be ways for people to protect themselves, these are beyond their means or knowledge. This is something that needs to be sorted out on the hotels side but unfortunately it seems that even the hammer of GDPR is not strong enough to make them line up.