Booking site in 'appalling' data leak

Hotel Hippo maintenance sign The site on Tuesday displayed a message saying it was "down for maintenance"

Related Stories

A hotel booking website that was leaking large amounts of customer information is being investigated by the UK data privacy watchdog., owned by HotelStayUK, had revealed booking information that had been a "gift for burglars", a security expert said.

The exposed data could allow the matching of hotel bookings with home addresses.

After being contacted by the BBC, was taken offline.

In a statement, the company said: "We confirm that we have taken down the website to take some urgent action to deal with a technical situation.

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety."

Information security consultant Scott Helme said he had sent details of the vulnerability to the firm on 25 June, but no action was taken until Tuesday.

HotelHippo, based in St Albans, offered bookings with large chains including Marriott Hotels and Radisson. Other sites owned by HotelStayUK offer theatre tickets and other tourist experiences.

Mr Helme, who described the breach as "appalling", told the BBC that repeated emails and phone calls to HotelStayUK had been ignored.

However, managing director Chris Orrell said he was unaware of the issue.

"No-one's passed on any information to me," he said.

Address database

The UK's data privacy watchdog, the Information Commissioner's Office (ICO), opened an investigation on Tuesday.

"We will be looking into the matter to establish the full details," a spokesman said.

Despite the website displaying several messages and trust stamps stating it was "secure", Mr Helme said he had discovered the vulnerability with ease.

"I easily discovered a method of extracting the personal and sensitive data of thousands of customers that had used the site before me," he said.

Hotel Hippo logo The website offered discounts on hotel rooms

The vulnerability centred on the use of unique web addresses to pull up customer data.

When placing a booking, a unique five-figure number would appear in the address bar of the web browser.

By simply altering this number, any user could pull up details of previous bookings.

The leaked data included the date, location and length of a hotel stay. On a separate page, the home address of the person who made the booking could also be found.

Mr Helme said a simple program could be written to pull the data from the site - essentially creating a database of addresses where the residents were staying at hotels, and for how long.

HotelHippo said any concerned customers should contact it on 08446 646 000.

Follow Dave Lee on Twitter @DaveLeeBBC

More on This Story

Related Stories

More Technology stories


Features & Analysis

  • Cartoon of women chatting on the metroChat wagon

    The interesting things you hear in a women-only carriage

  • Replica of a cargo boxSpecial delivery

    The man who posted himself to the other side of the world

  • Music scoreFinal score Watch

    Goodbye to NYC's last classical sheet music shop

  • Former Secretary of State Hillary Rodham Clinton checks her Blackberry from a desk inside a C-17 military plane upon her departure from Malta, in the Mediterranean Sea, bound for Tripoli, Libya'Emailgate'

    Hillary gets a taste of scrutiny that lies ahead

BBC Future

(Science Photo Library)

Nasa’s amazing airport simulator

How to train 21st Century controllers


  • A robotClick Watch

    The latest in robotics including software that can design electronics to solve problems

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.