Hotel websites are leaking guest information

(Image credit: Shutterstock) (Image credit: Image Credit: Pixabay)

Hotel websites may be leaking your personal booking details and other data to third parties without you knowing, new research has claimed.

A report from security firm Symantec estimates that two in three hotel websites could be passing on details, potentially allowing others to view your personal data or even cancel your reservation.

The report analysed more than 1,500 hotels in 54 countries spread across five continents, and found a significant proportion of both hotel sites and price comparison services may be putting users at risk.


The company says that the flaws originate from confirmation emails sent out by many chains to customers.

The contain a direct access link to their booking on the site, which although meant to assist customers with finalising their trip, are often unencrypted direct links which require no further authentication to view booking details.

Booking websites also utitlise third-party analytics tools, which are only activated by contacting third-party servers. This is typically done behind the scenes, but in this case, the direct access URL is passed on to third parties, meaning anyone at this external organisation could obtain sight of your booking and the data contained within.

The company says that almost all useful personal information could be at risk from such attacks, from full name and email address, to credit card details and their passport number. 

Symantec also found that many websites allow brute forcing of the booking reference entry system, as in many cases, the booking reference code is simply carried over from one booking to the next. This means that if the attacker knows the email or the last name of the customer, they can guess that customer’s booking reference number and log in.

"While it's no secret that advertisers are tracking users' browsing habits, in this case the information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether," Candid Wueest, Symantec principal threat researcher, wrote in a blog post outlining the findings.

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.