Visitors to hotelhippo.com are now being greeted with a short note entitled ‘website permanently closed', which has telephone and email contact details for further inquiries.
The company's owner, HotelStayUK, has decided to pull the plug on the firm some seven days on from Scott Helme, an information security consultant with Pentest Ltd, discovering that he was able to “easily discover a method of extracting the personal and sensitive data of thousands of customers that had used the site before me.”
Writing in a 1 July blog post, Helme said that – as a customer – his booking reference was clearly shown, and that he was able to “start walking backwards through the booking reference numbers, which are sequential and pull out the data associated with each one”. This vulnerable data included customer names, addresses and booking details.
Helme later found an SQL injection vulnerability on the ID fields used in the site's URL and said that the level of encryption on the website put it in breach of PCI Data Security Standards (DSS). Such coverage in the blog and in various media outlets saw ICO investigate the incident in view of 1998 Data Protection Act.
Yet in its official response, HotelStayUK – which reportedly turned over £3.4 million back in 2011 – rubbished suggestions that it was closing because of porous security, instead saying that few customers were affected.
“HotelHippo has shut down and will not reopen. Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little-used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation. We have also set up a helpline where customers can contact us by calling 08446 606 007,” read the statement.
“Security of our customers' data is of the utmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.”
HotelStayUK didn't respond to our request for extra information on the customers affected, or for the reason behind the company's closure.