From Forbes | Susan Rowan Kelleher Image by Getty
It’s become painfully clear that hotels are not doing enough to protect their guests’ privacy.
In recent years, we’ve seen high-volume data breaches at a slew of major hotel brands, including Marriott, Hyatt, Hilton, InterContinental, Sheraton, Westin, Starwood, Wyndham, Omni Hotels and Mandarin Oriental.
Then, last month, a report by the cybersecurity software company Symantec revealed that a majority of hotels inadvertently leak guests’ personal data to third parties when they send out confirmation emails. The study looked at more than 1,500 hotel websites in 54 countries ranging from small, independent properties to large five-star resorts and chains, and found that two out of three hotels send messages that can make it easy for third parties to view guests’ full names, email addresses, credit card details and passport numbers.
If there’s a silver lining, it’s that most of the danger outlined in the Symantec report falls into the category of targeted attacks. “These are scary, but very rare,” says Max Eddy, a software analyst at PCMag specializing in security services. “Targeted attacks don’t scale well, and most attackers are out to get as much monetizable information as possible as quickly as possible.”
At the very least, travelers should make sure that the hotel’s confirmation e-mail links to a secure site whose address begins with https, advises Navin Manglani, Professor of Technology at the NYU Stern School of Business. “Also, if the website gets redirected from an https site to an http site, that might be a red flag to not continue viewing the information or not enter any additional information.”
Since hotels have done little to earn the trust of travelers, it’s up to each of us to protect ourselves. Here are four easy steps that can make a big difference:
Mask your personal credit card details.
Booking travel online requires the traveler to fork over a lot of sensitive information. “But some information, such as your credit card number or email address, could be obscured using a service like Abine Blur, which generates one-time-use email addresses and credit card numbers,” says Eddy.
PCMag’s review of Abine Blur calls it “an impressive solution for online privacy.” For $39 a year, you can shop online without revealing your actual email address, phone number, or credit card number — and it manages your passwords, too.
Install an extension to thwart formjackers.
Earlier this year, Symantec highlighted formjacking in its Internet Security Threat Report as one of the most serious and lucrative types of cybercrimes. Formjacking works like an ATM skimmer on websites that require users to fill out online forms. A cybercriminal places a small piece of code on an e-commerce website and then simply waits. When the victim enters a credit card number or other personal data, the code sends that information back to the criminal. It’s particularly dangerous because it’s nearly impossible for victims to detect.
To make the personal information you enter through online forms less vulnerable, Manglani suggests downloading a browser-based script blocker such as ScriptSafe for Chrome, JSBlocker for Safari or NoScript for Firefox.
Never use free Wi-Fi without a VPN.
In general, it’s wise to get into the habit of using a virtual private network (VPN) whenever you are relying on open Wi-Fi networks in airports, hotels, coffee shops and so on. Free Wi-Fi networks are handy but notoriously risky; a VPN boosts security by creating an encrypted tunnel between your computer or your phone and a server.
“Using a VPN — particularly on unsecured, public networks but any network that you don’t manage yourself — is always a good idea since it prevents network traffic from being observed as easily,” says Eddy, who has reviewed the best VPNs for PCMag.
When possible, pay with a digital wallet.
A few major hotel chains and online booking sites such as Expedia and Hotels.com allow guests to pay with digital wallets such as PayPal, Apple Pay or Google Pay.
“This is a more secure option than credit cards, since less of your personal data is shared and the transaction is secure and encrypted,” says Manglani.
None of these steps are prohibitively expensive or require more than a few minutes to set up. Besides, it’s become untenable for travelers to simply sit back and do nothing.
“We trust companies to be good stewards of our data,” says Eddy. “And these hotel sites are clearly failing at it.”