Travel website Hotel Hippo is being investigated by the information commissioner's office (ICO) for a bug on the website that potentially allowed hackers to steal data.
The security flaw was discovered by Scott Helme, a consultant at security firm Pentest, who found it while booking a hotel on the website.
A spokesman from the ICO said: "What it appears to be is that people were given a five digit code and that was included in the URL, so when you changed it you could look at other people's details."
Though Helme informed Hotel Hippo of the bug, he claims it was not until the BBC started to investigate that the company took the problem seriously.
He said the flaws were severe enough that it could place the site in breach of PCI compliance, and also allow hackers to operate "an effective and convincing phishing scam".
"Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn't have to get so far before companies start taking responsible disclosures seriously," he added.
Hotel Hippo confirmed the website had been put on hiatus so that it could "take some urgent action to deal with a technical situation".
"Privacy of customer data is our prime concern, and we are committed to ensuring this safety," it added.