It turns out one of the riskiest things you can do for your personal data is book a hotel room. That's the conclusion of Symantec after reviewing more than 1,500 hotel websites spread across 54 different countries.

As Reuters reports, the review carried out by Symantec discovered that two out of every three hotels will leak the booking details of guests. Those details include full names, email address, postal address, mobile number, credit card details (last four digits, card type, expiration), and passport numbers. The information is accessible to third-party websites, advertisers, and analytics companies.

The obvious questions are how? and why? The personal data being leaked stems mainly from the way in which hotels send confirmation emails. They typically include a reference code, which links to all the booking information and doesn't require a login to access. A quarter of the hotel websites also aren't encrypting the link, making it much easier to intercept and access the information.

According to Symantec, that reference can be shared with over 30 different service providers, "including social networks, search engines and advertising and analytics services." From the hotel's point of view, sharing the information with the customer in this way is simple and easy to do, but it clearly overlooks the security threat being posed.

Candid Wueest, principal threat researcher at Symantec, explained, "While it's no secret that advertisers are tracking users' browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether."

If the ease with which personal information is being shared isn't worrying enough, the hotel responses to this review should set alarm bells ringing. Symantec contacted all of them, with the average response time by a hotel data privacy officer taking 10 days. However, 25 percent did not reply within six weeks of contact. One common response seems to be they are, "still updating their systems to be fully GDPR-compliant."

Back in November, it was discovered that the personal details of 500 million guests at Marriott International hotels had been exposed in a database hack. Symantec did not include Marriott hotels in the review, reinforcing the fact this seems to be an industry-wide problem.

Further Reading

Security Reviews