How your credit card data gets shared with cyber criminals when you book a hotel

If you have a business trip coming up, you might want to employ extra caution. According to research recently conducted by Symantec Corp, two out of three hotels or 67%, mistakenly leak personal information and booking details to advertisers and analytics companies. This compromised data is typically comprised of email addresses, last four digits of credit card, card type, and expiration date, mobile phone number, your full name, and even passport numbers.

Follow Ladders on Flipboard!

Follow Ladders’ magazines on Flipboard covering Happiness, Productivity, Job Satisfaction, Neuroscience, and more!

Unfortunately, it happens more often than you think


The study’s lead researcher, Candid Wueest, works for Symantec’s Security Technology and Response division.  In his detailed analysis, he explained that the frequency of these errors of confidentiality is higher than many are aware of, and the consequences can end up being catastrophic if intimate details get into the hands of cybercriminals.  Wueest writes, “While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether.”

The study examined over 1,500 hotel websites in 54 different countries, from the two-star range to the five-star range, and included chains and independent properties.  Wueest surmises that our private information is commonly shared when hotels send emails to confirm bookings. These emails contain direct links to our booking information, which is then made inadvertently available to over thirty different service providers.  Fifty-seven percent of the sites tested by Wueest observed a policy of sending confirmation emails with a direct link to the booking info of recent customers.

The report states: “Since the email requires a static link, HTTP POST web requests are not really an option, meaning the booking reference code and the email are passed as arguments in the URL itself. On its own, this would not be an issue. However, many sites directly load additional content on the same website, such as advertisements.”

The research revealed that an alarming 176 requests are granted per booking. Additionally, in most instances, booking data remains visible, even in instances when customers cancel their reservations.

You might also enjoy…