Study: Hotels Often Leak Guest PII

data breach

A study by Symantec, a cybersecurity company, showed that two out of every three hotel sites have leaked personal data, which could include credit card and passport information, according to a report by Reuters.

The data is being shared with third-party sites, as well as advertisers and analysis companies. Symantec studied upwards of 1,500 hotel sites in 54 countries, from two-star to five-star establishments.

The information includes personal details like full names and email addresses, along with payment information, and could be hacked by criminals or used for espionage purposes. Especially, the report said, by criminals who might want to track the movement of influential government workers or business professionals.

Candid Wueest, the primary researcher on the Symantec study, said it’s fairly easy for criminals to get the information.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” Wueest said.

The breaches happen when a site sends an email to confirm a booking. The code in the email could be shared with upwards of 30 different organizations, including social media sites and advertisers.

When reached by Symantec about the problem, a quarter of data privacy officers at the sites didn’t reply about the issue, and the ones that did took about ten days to get back, Wueest said.

“Some admitted that they are still updating their systems to be fully GDPR-compliant,” Wueest said, in reference to Europe’s recently passed General Data Protection Regulation, which went into effect last year. The law has stringent rules on how to deal with breached data.

The Symantec study did not include Marriott International, which made news last November when it revealed one of the worst hotel breaches in history. Marriott said the data on some 500 million guests was compromised.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and chief executive officer said at the time.  “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”