Troublesome 1,500 Hotel Chains Inadvertently Leaking Customer Data
Symantec, a mainstream antimalware vendor has disclosed the result of their study that reveals that 67% of hotel websites experienced leaks with its respective booking systems. The leakage continues and it is predicted to continue its upward trajectory due to the growth of form jacking attacks. Symantec has tested 1,500 hotels globally and they discovered that for every three hotels they have audited, two hotels have some form of data leakage as a side effect of 3rd party analytics plugins.
Many of these hotels are directly under the European Union’s GDPR, but even after almost a full year of implementation, only a minority of hotels in Europe are actually compliant with it. The affected hotels are mostly from known hotel chains with many branches globally, and the majority of which have more than satisfactory reviews amongst the traveler community.
“The sites I tested ranged from two-star hotels in the countryside to luxurious five-star resorts on the beach. Basically, I randomly chose locations where I would like to spend my vacation, then selected the top search engine results for hotels in those locations. Some hotel sites I tested are part of larger, well-known hotel chains, meaning my research for one hotel applies to other hotels in the chain. Some reservation systems were commendable, as they only revealed a numerical value and the date of the stay and did not divulge any personal information. But the majority leaked personal data, such as: Full name; Email address; Postal address; Mobile phone number; Last four digits of credit card, card type, and expiration date; Passport number,” explained Candid Wueest, Principal Threat Researcher at Symantec.
The booking arrangement used by these hotels was the primary reason personally identifiable information can be extracted from publicly shared records of these unnamed hotels. The information itself can be taken from the booking system itself, with the use of Google Analytics to further fine-tune the result. Wueest mentioned a sample URL containing leaked data which can only be seen by an observant person from the address bar of the browser:https://www.google-analytics.com/collect?v=1&_v=j73&a=438338256&t=pageview&_s=1&dl=https%3A%2F%2Fbooking.the-hotel.tld%2Fretrieve.php%3Fprn%3D1234567%26mail%3Djohn%5Fsmith%40myMail.tld&dt
“This results in the reference code being shared with more than 30 different service providers, including well-known social networks, search engines, and advertisement and analytics services. This information could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether. Note that in this scenario, the fault is not on the service provider’s side,” added Wueest.
Wueest further stressed that 29% of the booking systems they have checked also send a booking confirmation email containing a non-encrypted webpage link. That means any man-in-the-middle attack can be launched by an unknown party to intercept the email sent by the hotel to its customers. The hotels’ IT support teams are not even helping in the situation, given that 25% of them has not responded to Wueest’s appeals to reform their website within a 6-weeks window.