Why the ICO is investigating Hotel Hippo

Security

by Jimmy Nicholls| 02 July 2014

Or what security researchers get up to in their spare time.

Travel website Hotel Hippo is being investigated by the information commissioner's office (ICO) for a bug on the website that potentially allowed hackers to steal data.

The security flaw was discovered by Scott Helme, a consultant at security firm Pentest, who found it while booking a hotel on the website.

A spokesman from the ICO said: "What it appears to be is that people were given a five digit code and that was included in the URL, so when you changed it you could look at other people's details."

Though Helme informed Hotel Hippo of the bug, he claims it was not until the BBC started to investigate that the company took the problem seriously.

He said the flaws were severe enough that it could place the site in breach of PCI compliance, and also allow hackers to operate "an effective and convincing phishing scam".

"Whilst I have to applaud them for taking the affected areas of the site offline at that time, it shouldn't have to get so far before companies start taking responsible disclosures seriously," he added.

Hotel Hippo confirmed the website had been put on hiatus so that it could "take some urgent action to deal with a technical situation".

"Privacy of customer data is our prime concern, and we are committed to ensuring this safety," it added.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

754 people like this.
0 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.