The United Kingdom Information Commissioner"s Office (ICO), the watchdog charged with overseeing data privacy and protection matters in the UK, has begun an investigation into a hotel booking site that an information security consultant has condemned over an "appalling" data leak, and the company"s subsequent failure to act on it.
Scott Helme visited HotelHippo.com - owned by the HotelStayUK group - as a customer looking for a good deal on a stay in England"s picturesque Lake District. But when his search led him to the site, he was horrified to discover a string of failures in its security, leaving it completely vulnerable to data mining from unscrupulous third-parties.
The first red flag was that the site was served over HTTP, despite numerous highly visible claims that the site was secure, and attempting to navigate to a HTTPS version resulted in an SSL error, since the security certificate was for a completely different domain (secure.afternoonteafortwo.co.uk).
Cautiously pressing on through the booking process, Helme entered his personal details - name, address, and the like - before proceeding to the payment details page. To his surprise, he noted that his booking reference number - stated on the page - was duplicated in the address bar in plain text.
Not inspired by the site"s claims of security, he played a hunch and edited the booking reference in the URL, and immediately found that he was able to access details of other customers on the site.
The booking references were sequentially numbered, so he could go through each of them one by one, viewing customer details - including names, addresses, phone numbers and, horrifyingly, dates of travel, giving potential burglars all the info they need to ransack your house while you"re away. Helme has detailed further elements of the company"s security failures on his blog.
He initially contacted HotelStayUK to let them know about the security gaps on their site on June 25. However, Helme said that his "repeated emails and phone calls" to the company were ignored. HotelHippo.com remained online until today (July 1), when it quickly disappeared after BBC News contacted the company for comment.
The company said in a statement that it had "taken down the HotelHippo.com website to take some urgent action to deal with a technical situation." It added: "Privacy of customer data is our prime concern, and we are committed to ensuring this safety."
The HotelStayUK site has also been taken offline and replaced with an error message. However, HotelStayUK managing director Chris Orrell denied any knowledge of the problem: "No-one"s passed on any information to me," he said.
The ICO says that its investigation "will be looking into the matter to establish the full details", according to a spokesperson.
Source: Scott Helme via BBC News | images 1-3 via ScottHelme.co.uk