The reservation systems used on hotel websites that allow users to book rooms can potentially leak personal data, according to Symantec researcher Candid Wueest, in a report published Wednesday. Wueest tested multiple websites counting “more than 1,500 hotels in 54 countries,” and found that 67% of these sites leak booking reference codes to third-party websites due to the way links are formed to allow users to view or edit their booking.

According to the report, 57% of confirmation emails include a direct access URL to view booking information without requiring authentication, of which 29% use insecure URLs that pass variables inside the URL, in formats similar to the following:


If the hotel website uses external resources, when this page is loaded, referrer data is sent, leaking the full URL to third parties. With this information, malicious actors within those third-party organizations can view reservation details and personal information–including name, address, phone number, passport number, credit card type, expiration, and last four digits of the card number–and even cancel the reservation. This is especially concerning for business travelers, who could have corporate card information stolen along with personal information.

SEE: IT pro’s guide to GDPR compliance (free PDF) (TechRepublic)

The report further notes that this data remains visible even if the reservation is cancelled. Interestingly, third-party hotel search engines “appear to be slightly more secure,” with only two of the five websites tested leaking credentials, and one sending a login link without encryption. Worryingly, the report also indicates that the booking number is simply incremented by one for each reservation, making it possible to brute force access if the email address is known, a problem which Wueest claims is widespread.

It is unclear how many individual websites this actually affects–due to consolidation in the hospitality industry, hotel chains operate a variety of websites for individual hotels or brands that share a common backend. Wueest notes that due to this, “my research for one hotel applies to other hotels in the chain,” though does not provide specifics on the number of individual websites tested.

This type of data sharing would seemingly be in violation of GDPR, with the report noting that some data privacy officers contacted during this investigation “admitted that they are still updating their systems to be fully GDPR-compliant,” while others “argued that it wasn’t personal data at all and that the data has to be shared with advertising companies as stated in the privacy policy.”

Given the widespread nature of this issue, protecting your personal information from poor handling practices of third parties is challenging. If your credit card offers disposable, one-time-use numbers, taking advantage of that service may be of some help to safeguarding your financial information.

For more on security, check out “Businesses beware: Spearphishing attacks aim to change payroll direct deposits” and “Employee mistakes and system errors are a larger threat to data security than hackers or insiders.”