This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-28107277
The article has changed 4 times. There is an RSS feed of changes available.
Version 2 | Version 3 |
---|---|
Booking site HotelHippo.com in 'appalling' data leak | Booking site HotelHippo.com in 'appalling' data leak |
(about 7 hours later) | |
A hotel booking website that was leaking large amounts of customer information is being investigated by the UK data privacy watchdog. | A hotel booking website that was leaking large amounts of customer information is being investigated by the UK data privacy watchdog. |
HotelHippo.com, owned by HotelStayUK, had revealed booking information that had been a "gift for burglars", a security expert said. | HotelHippo.com, owned by HotelStayUK, had revealed booking information that had been a "gift for burglars", a security expert said. |
The exposed data could allow the matching of hotel bookings with home addresses. | The exposed data could allow the matching of hotel bookings with home addresses. |
After being contacted by the BBC, HotelHippo.com was taken offline. | After being contacted by the BBC, HotelHippo.com was taken offline. |
In a statement, the company said: "We confirm that we have taken down the HotelHippo.com website to take some urgent action to deal with a technical situation. | In a statement, the company said: "We confirm that we have taken down the HotelHippo.com website to take some urgent action to deal with a technical situation. |
"Privacy of customer data is our prime concern, and we are committed to ensuring this safety." | "Privacy of customer data is our prime concern, and we are committed to ensuring this safety." |
Information security consultant Scott Helme said he had sent details of the vulnerability to the firm on 25 June, but no action was taken until Tuesday. | Information security consultant Scott Helme said he had sent details of the vulnerability to the firm on 25 June, but no action was taken until Tuesday. |
HotelHippo, based in St Albans, offered bookings with large chains including Marriott Hotels and Radisson. Other sites owned by HotelStayUK offer theatre tickets and other tourist experiences. | |
Mr Helme, who described the breach as "appalling", told the BBC that repeated emails and phone calls to HotelStayUK had been ignored. | Mr Helme, who described the breach as "appalling", told the BBC that repeated emails and phone calls to HotelStayUK had been ignored. |
However, managing director Chris Orrell said he was unaware of the issue. | However, managing director Chris Orrell said he was unaware of the issue. |
"No-one's passed on any information to me," he said. | "No-one's passed on any information to me," he said. |
Address database | Address database |
The UK's data privacy watchdog, the Information Commissioner's Office (ICO), opened an investigation on Tuesday. | |
"We will be looking into the matter to establish the full details," a spokesman said. | "We will be looking into the matter to establish the full details," a spokesman said. |
Despite the website displaying several messages and trust stamps stating it was "secure", Mr Helme said he had discovered the vulnerability with ease. | Despite the website displaying several messages and trust stamps stating it was "secure", Mr Helme said he had discovered the vulnerability with ease. |
"I easily discovered a method of extracting the personal and sensitive data of thousands of customers that had used the site before me," he said. | "I easily discovered a method of extracting the personal and sensitive data of thousands of customers that had used the site before me," he said. |
The vulnerability centred on the use of unique web addresses to pull up customer data. | |
When placing a booking, a unique five-figure number would appear in the address bar of the web browser. | |
By simply altering this number, any user could pull up details of previous bookings. | By simply altering this number, any user could pull up details of previous bookings. |
The leaked data included the date, location and length of a hotel stay. On a separate page, the home address of the person who made the booking could also be found. | The leaked data included the date, location and length of a hotel stay. On a separate page, the home address of the person who made the booking could also be found. |
Mr Helme said a simple program could be written to pull the data from the site - essentially creating a database of addresses where the residents were staying at hotels, and for how long. | Mr Helme said a simple program could be written to pull the data from the site - essentially creating a database of addresses where the residents were staying at hotels, and for how long. |
HotelHippo said any concerned customers should contact it on 08446 646 000. | |
Follow Dave Lee on Twitter @DaveLeeBBC | Follow Dave Lee on Twitter @DaveLeeBBC |