skip navigation
Manchester Digital
skip mega-menu

Quick Links

Get Involved
What We Do Join the Community Our Newsletter #MDTechCommunity Slack Channel Industry Events Sponsorship
Support
Research and Insights Manifesto for the Northern Tech Economy Startup Support Sectors Relocate Member Offers
Programmes
Apprenticeships Digital Her Startup Activator Skills Festival Skills Audit Training

Who We Are

The Team
The Board

About

News

Events

Directory

Jobs

Join

Programmes

Startups

Apprenticeships

Get in Touch

Posts
Add Post

Booking site HotelHippo.com in 'appalling' data leak
View Profile
View More Posts

HotelHippo.com, owned by HotelStayUK, had revealed booking information that had been a "gift for burglars", a security expert said.

The exposed data could allow the matching of hotel bookings with home addresses.

After being contacted by the BBC, HotelHippo.com was taken offline.

In a statement, the company said: "We confirm that we have taken down the HotelHippo.com website to take some urgent action to deal with a technical situation.

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety."

Information security consultant Scott Helme said he had sent details of the vulnerability to the firm on 25 June, but no action was taken until Tuesday.

HotelHippo, based in St Albans, offered bookings with large chains including Marriott Hotels and Radisson. Other sites owned by HotelStayUK offer theatre tickets and other tourist experiences.

Mr Helme, who described the breach as "appalling", told the BBC that repeated emails and phone calls to HotelStayUK had been ignored.

However, managing director Chris Orrell said he was unaware of the issue.

"No-one's passed on any information to me," he said.

Address database

The UK's data privacy watchdog, the Information Commissioner's Office (ICO), opened an investigation on Tuesday.

"We will be looking into the matter to establish the full details," a spokesman said.

Despite the website displaying several messages and trust stamps stating it was "secure", Mr Helme said he had discovered the vulnerability with ease.

"I easily discovered a method of extracting the personal and sensitive data of thousands of customers that had used the site before me," he said.

The vulnerability centred on the use of unique web addresses to pull up customer data.

When placing a booking, a unique five-figure number would appear in the address bar of the web browser.

By simply altering this number, any user could pull up details of previous bookings.

The leaked data included the date, location and length of a hotel stay. On a separate page, the home address of the person who made the booking could also be found.

Mr Helme said a simple program could be written to pull the data from the site - essentially creating a database of addresses where the residents were staying at hotels, and for how long.

Source: BBC News

Latest Posts

Add Post View All
Posted by CyberLab
Top Strategies to Strengthen Cyber Resilience for Hybrid Working
Posted by Government Digital & Data
Looking to Boost Your Digital and Data Skills? Start Here!
Posted by The Manchester College
From Ada to Amaara
Posted by Higher Ground Marketing
Easily Our Best Website Optimisation Case Study
Posted by CyberLab
Tales from the CyberLab - Episode 3: The State of Ransomware Explained with Sophos
Photo of the strengthened creative team
Posted by Jam
Jam strengthens creative team with three key hires
Posted by Manchester Digital
What's Coming up at Manchester Digital at a Glance | October 2024
Posted by The Manchester College
SAS in Class
The Christie NHS Foundation Trust Logo
Posted by Aire Logic
Aire Logic Secures 2-Year Contract Renewal with The Christie NHS Trust
Posted by Informed Solutions
Informed Solutions Retains Great Place to Work® Certification With 93% Average Rating

Subscribe to our newsletter

Sign up here