Most hotels leak personal data
In January this year, we published a story concerning a data breach incident at a major hotel group. The cyber attack on the Marriott hotel group that held details of approximately 500million guests was subsequently traced to China.
Apparently, the attack was part of a Chinese intelligence-gathering effort that also hacked health insurers and security clearance files of millions more Americans, according to two people briefed on the investigation. They said the hackers are suspected of working for the Ministry of State Security. This is the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration plans to target China’s trade, cyber and economic policies, possibly within days.
Now, once again, Cybersecurity in the hospitality sector is under scrutiny, according to a study by online security firm Symantec, who discovered alarmingly high levels of hotels leaking customer data. In fact, the leakage of booking details was so bad that cyberattackers could potentially view customers’ personal information and even cancel their hotel reservations.
As per numerous news reports, hotels already have a pretty dismal track record when it comes to data security, after several big hotel chains around the world suffered serious and repeated data breaches over the past few years.
Symantec reviewed more than 1,500 hotel websites across 54 different countries and concluded that more than 67% (2 out of 3) hotel websites were inadvertently leaking guests’ booking information and personal data websites operated by third-party companies, such as advertisers and analytics firms.
Symantec has warned that compromised personal data can include:
- full names,
- postal address,
- mobile phone numbers,
- email addresses,
- credit card details (last four digits only), and
- passport numbers
Candid Wueest, principal threat researcher at Symantec blogged:
While researching possible formjacking attacks on hotel websites recently, I stumbled across a separate issue that could potentially leak my and other guests’ personal data, … I tested multiple websites – including more than 1,500 hotels in 54 countries – to determine how common this privacy issue is. …While it’s no secret that advertisers are tracking users’ browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether,
According to a news article by Tom Jowitt, writing for Silicon UK, the hotels in question include both luxurious five-star resorts and hotels at the cheaper end of the scale. Hotels in the US, the UK and Europe are said to be affected, despite the risks for them associated with the General Data Protection Regulation (GDPR) which came into effect in Europe last year.
So what exactly is the problem? Well it seems that the main issue surrounds the actual booking confirmation email, as many of these emails contain an active link that directs to a separate website where guests can access their reservation without having to log in again.
Unfortunately, the booking code and the guest email address are often in the URL itself, which normally isn’t a big issue.
An example would be: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld
“On its own, this would not be an issue,” wrote Wueest. He added:
However, many sites directly load additional content on the same website, such as advertisements. This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request. My tests have shown that an average of 176 requests are generated per booking, although not all these requests contain the booking details. This number indicates that the booking data could be shared quite widely.
And worryingly, Symantec found that more than one-quarter (29 percent) of the hotel sites did not encrypt the initial link sent in the email that contained the ID.
“Booking sites should use encrypted links (HTTPS) and ensure that no credentials are leaked as URL arguments,” Wueest advised.
“Customers can check if links are encrypted or if personal data, such as their email address, is passed as visible data in the URL,” he added. “They can also use VPN services to minimize their exposure on public hotspots. Unfortunately, for the average hotel guest, spotting such leaks may not be an easy task, and they may not have much choice if they want to book a specific hotel.”
Security experts warned hotels that they have to do a much better job of protecting consumer data in the age of GDPR.
“Consumers should feel safe and secure when they hand over their personal information into a business’s website,” explained Tim Dunton, MD at Nimbus Hosting:
Unfortunately, it is becoming increasingly apparent that some websites lack the basic security measures required to prevent such information from being exploited by cyber criminals, … In the age of GDPR, and at a time when consumerism exists almost entirely online, exploitable websites and a lack of basic cyber security measures is simply not acceptable. … Moving forward, it is essential that all businesses begin to understand the full implications of not protecting their customer’s data, and start taking proactive measures to ensure hackers cannot access sensitive information by exploiting outdated websites and unregulated IT systems,
Another expert pointed out that the issue was a design problem, despite the seriousness of the issue. “It turns out all those emails and website banners were the easy part of GDPR compliance,” said Tim Erlin, VP, product management and strategy at Tripwire. “This type of data leakage is fundamentally a design problem, which shouldn’t detract from the severity of the issue. …With the right training and threat modeling, these kinds of issues can be stopped in the development cycle, instead of in production,” said Erlin.
Another expert said this type of leaking was unfortunately notorious within security circles.
“Cross domain includes site tracking scripts and site optimisation platforms which are notorious for causing leaks such as these,” explained Martin Jartelius, CSO at Outpost24.
“However, it is great to see that discussions to rectify this are surfacing,” said Jartelius. “Over the last few years, a range of breaches have been caused by supply chain or dependencies on platforms managed by others.
However, with the amount of information crossing organisations trust-boundaries, there does not seem to be a substantial amount of consideration related to confidentiality and privacy. This also happens to be one of the issues with domains that GDPR was designed to address.”
Sources and credits: Business Telegraph