Two-thirds of hotel websites inadvertently leak personal data to third-party companies and leave customers vulnerable to hackers.

This is according to research from cyber security firm Symantec, which found that the majority of booking systems used by hotels could allow scammers to access information such as mobile phone and passport numbers.

The leaks come from confirmation emails, sent to customers often containing an unsecured direct link to their booking. The report suggests that anyone on the same network could intercept the email and modify or cancel their reservation.

Principal threat researcher, Candid Wueest, tested the websites of 1,500 hotels from 54 countries and found that two in three of them, or 67%, had the problem. The security lapses are in breach of the EU's GDPR laws, which state that firms must protect the personal data of customers.

"The fact that this issue exists, despite the GDPR coming into effect in Europe almost one year ago, suggests that the GDPR's implementation has not completely addressed how organisations respond to data leakage," said Wueest.

Of the websites Wueest tested, more than half (57%) send confirmation emails to customers with a direct access link to their booking. This is for the convenience of the customer, giving them a simple link to click straight into their reservation without having to log in.