With the recent announcement the UK Commissioner’s Office is intending to issue a fine of more than £99 million to Marriott Hotels group, a recent study by Symantec* shows some of the serious consequences that can result from unauthorised access, such as unauthorised cancellations, and access to personally identifiable information including name, postal address and passport numbers.


The study involved testing multiple websites, including more than 1,500 hotels in 54 countries, and found that 67% of these sites are inadvertently leaking booking reference codes to 3rdparty sites such as advertisers and analytics companies (even though all of the sites had a “privacy policy” but none of them mentioned this behaviour explicitly.


Types of personal information leaked included data such as:

  • Full name
  • Email address
  • Postal address
  • Mobile phone number
  • Last 4 digits of credit card, card type and expiration date
  • Passport Number


It is suggested that the cause of these leaks could stem from confirmation emails sent to the customer, which includes a link to the booking, allowing the user to go straight to their reservation without having to login.


Martin de Bruin, CEO of Deslyon comments:

“Whilst this is incredibly distressing, it isn’t really a surprise. What if the customer entered the wrong email address, and the booking confirmation was sent to someone else? The can of worms that could have been opened if the email address was shared by a couple!”


The study goes on to state that this information – which can be passed through the email confirmation link by the browser – can also be visible to unauthorised 3rdparties well-known social networks, advertisement and search engines, and all it takes is a rogue employee to use the information collected for their own nefarious purposes for a major incident to occur, which could affect the rights and freedoms of that individual.


It is worth remembering Recital 30 of the EU GDPR which states that ‘Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them’.


“Accountability is the underlying principle under the EU GDPR yet still thousands of companies still seem to think that they avoid their obligations when it comes to privacy and Data Protection, whilst we continue to vehemently be of a different opinion. Companies who do not demonstrate compliance by taking the appropriate technical & organisational measures will be subject to fines and sanctions similar to what we’ve seen in the last 48hours.  Prevention really is better than trying to find a cure after you’ve suffered a breach.” Martin concludes.


If you are looking for guidance and advice on how you can take steps towards data protection compliance and privacy regulations, contact info@deslyon.com today.


(*source: https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data)

Photo by Krys Amon on Unsplash

Share this post on: