Skip to main content

HotelHippo described as "gift for burglars" after haemorrhaging customer data

Hotel booking site is being investigated by the UK data privacy watchdog for leaking large amounts of customer information.

The exposed data allowed the matching of hotel bookings with home addresses and was described as a "gift for burglars" by a security expert.

Read more: DDoS attacks becoming stronger, with many UK businesses unprepared to face them

The site, owned by HotelStayUK, issued a statement saying; "We confirm that we have taken down the website to take some urgent action to deal with a technical situation.

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety."

The data breach was described as "appalling" by security consultant Scott Helme, who also said that he sent the company details of the vulnerability on 25 June, but it was not until nearly a week later that any action was taken.

Helme "easily discovered" that a unique five-figure number would appear in the web browser's address bar whenever a booking was placed.

By simply altering this number, he was able to gain access to information from previous bookings, including that date, location, length of stay and even home addresses of customers.

Managing director Chris Orrell denies having any knowledge about the leak, saying, "No-one's passed on any information to me."

The investigation was opened by the Information Commissioners Office on Tuesday, who released a statement saying "We will be looking into the matter to establish the full details."

Read more: Why businesses hate Box and Dropbox

"Hackers could have been helping themselves to a haul of HotelHippo's customer data for some time," said Roy Harris, the senior VP of EMEIA sales at iboss Network Security. "Threats often move through networks unseen. However in this case, for personal data to be revealed by changing a unique five-figure number in the web browser is worrying.

"In this case, vigilant consumers would be none the wiser to the risk, as the website displayed several messages and trust stamps stating it was secure. The onus is now on retailers to ensure consumer safety."

Any concerned customers can contact HotelHippo on 08446 646000.