(Reuters) – Two out of three hotel websites accidentally leak visitors' booking information and personal information to third party websites, including advertisers and analytics companies, according to research released by Symantec Corp. on Wednesday.
The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International Inc. revealed one of the worst data violations in history.
Symantec said Marriott was not included in the study.
Compromised personal information includes full names, email addresses, credit card details, and passport numbers for guests who can be used by cyber criminals who are more interested in movements of influential business people and state employees, Symantec says.
"It's no secret that advertisers track user surfing habits, in this case, the shared information may allow these third p arty services to log into a booking, view personal details and even cancel the booking altogether," Candid Wueest, the lead researcher of the study
The research showed compromise usually occurs when a hotel location sends confirmation emails with a link that has direct booking information.The reference code attached to the link can be shared with more than 30 different service providers, including social networks, search engines and advertising and analysis services.
Mr Wueest said that 25% of data protection officers on the affected hotel pages did not respond to Symantec within six weeks of reporting the problem, and those who did an average of 1
"Some admitted that they are still updating their systems to be completely GDPR compliant, "says Wueest, with h revision of Europe's new personal protection legislation or the General Data Protection Regulation, which came into force a year ago and has strict guidelines for how organizations should handle data leakage.