Third-party services running on most hotel websites have access to guest booking information, including personal data and payment card details. The data they're privy to also allows them to cancel reservations.

Multiple websites for over 1,500 hotels in 54 countries fail to protect user information from partner services such as advertisers and analytics companies. In 67% of the studied cases, some level of personal information is leaked via booking reference codes.

The data exposed this way may include the guest's full name, email and physical address, phone number, the last four digits of the payment card as well as its type and expiration date, and the passport number.

Booking link shared with too many services

Most hotel booking sites send guests a confirmation email with a direct link to their reservation details that does not require logging in. The email address and the booking ID are passed as arguments of the link.

The privacy issue occurs when the customer lands on a website that loads additional content from third parties. Some requests to these remote resources contain the full URL sent to the customer, says Candid Wueest, senior threat researcher at Symantec.

"This means that direct access is shared either directly with other resources or indirectly through the referrer field in the HTTP request," the expert notes in an analysis.

During his tests, Wueest noticed an average of 176 requests being generated for each booking. Although not all requests contain sensitive details, the number is sufficiently large to suggest "that the booking data could be shared quite widely."

Being in the referrer filed means that the booking reference code is passed along by the browser, potentially reaching over 30 service providers like social networks, search engines, and analytics services.

"This information could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," Wueest says.

However, bad this may sound, the third-party providers are not to blame for getting more information than they need to operate properly.

A concerning find is that the booking data remained present even after canceling the reservation. This would allow an attacker to harvest records with personal records for individuals that are not guests at the target hotel.

Making reservations through a metasearch engine is not a more secure approach either. The researcher found that two of the five services he tested leaked credentials, and another one did not send the login link over a secure connection.

GDPR applies to this, too

Since the data reaches third-party providers considered trusted by the websites, the risk associated with these leaks may be considered sufficiently low not to raise concerns. However, a malicious insider could harvest the referrer URLs and use them to steal customer information.

Moreover, the fact of the matter is that personal customer details are shared with entities that should not have access to them.

In Europe, these practices are in stark contrast with the provisions of the General Data Protection Regulation (GDPR). When Wueest contacted the data privacy officers at the affected hotels, he learned that some of the organizations were still working on getting their systems to be fully compliant to GDPR, one year after the law came into effect.

25% of the officers did not reply six weeks after being informed of the privacy risks. Those that responded needed an average of 10 days to issue a reply and said they would commit to fixing the problem.