This is a threat since cyber-criminals are increasingly interested in monitoring the movement of influential business professionals as well as government employees.
According to a research report released by Symantec Corp, two out of three hotel websites have inadvertently leaked guests’ booking details as well as personal data to third-party sites, including advertisers and analytics companies.
Symantec’s study looked at more than 1,500 hotel websites across 54 countries. The websites for hotels ranged from two-star to five-star properties.
The report comes in the wake of Marriott International’s disclosure of one of the worst data breaches in history.
Symantec clarified its report did not include Marriott.
Compromised personal data includes full names, credit card details, passport numbers, and email addresses. These could be used by cyber-criminals who are increasingly interested in the movements of influential business professionals and government employees, said Symantec.
“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Candid Wueest, the primary researcher on the study.
According to Symantec, personal data is often compromised when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.
According to Wueest, 25% of data privacy officers at the affected hotel sites did not reply to Symantec within six weeks of being notified by it; those who did took an average of 10 days to respond.
“Some admitted that they are still updating their systems to be fully GDPR-compliant,” said Wueest.