Hotel booking website HotelHippo.com is facing an investigation by the Information Commissioners’ Office (ICO), following a website problem that allowed customer data to be easily extracted from the vulnerable website.
After initially being contacted by cybersecurity specialist Scott Helme on June 25, it seems the company refused to take action until contacted by BBC. The website was taken offline after the BBC contacted the HotelStayUK-contacted website
Helme was able to walk backwards using the sequential booking reference numbers, pulling customer data step-by-step.
If done properly, a customer’s name, home address, date, location and hotel stay duration could be retrieved – and a clever cybercriminal would be able to write a script to quickly pull all data from the Hotel Hippo website.
Here is what HotelHippo told the BBC:
“We confirm that we have taken down the HotelHippo.com website to take some urgent action to deal with a technical situation. Privacy of customer data is our prime concern, and we are committed to ensuring this safety.”
HotelHippo customers concerned about customer privacy can call them: 08446 646 000, or email email@example.com.
Thank you to Scott Helme for providing us with this information
Image courtesy of Mr. Helme