Two out of three hotel websites inadvertently leak guests' booking details and personal data to third-party sites including advertisers and analytics companies, according to new research.
The study by cybersecurity software company Symantec, which looked at more than 1500 hotel websites in 54 countries, comes several months after Marriott International disclosed one of the worst data breaches in history.
- Thousands of hotel guests secretly filmed and broadcast live in South Korea
- Trivago admits to misleading customers, may have to pay more than $10 million in fines
Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests, Symantec said.
The data could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, according to Symantec.
"While it's no secret that advertisers are tracking users' browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether," said Candid Wueest, the primary researcher on the study.
The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information.
The reference code attached to the link could be shared with more than 30 different service providers including social networks, search engines and advertising and analytics services.
Wueest said 25 percent of data privacy officers at the affected hotel sites did not reply to Symantec within six weeks when notified of the issue, and those who did took an average of 10 days to respond.
"Some admitted that they are still updating their systems to be fully GDPR-compliant," Wueest said, referring to Europe's new privacy law, or the General Data Protection Regulation, which took effect about a year ago and has strict guidelines on how organisations should deal with data leakage.