Hotel Hippo closes for good after data breach

News by Doug Drinkwater

UK-based travel booking website Hotel Hippo appears to have closed just one week after an independent security consultant found that the firm had weak security and privacy controls.

Also in:

Visitors to hotelhippo.com are now being greeted with a short note entitled ‘website permanently closed', which has telephone and email contact details for further inquiries.

The company's owner, HotelStayUK, has decided to pull the plug on the firm some seven days on from Scott Helme, an information security consultant with Pentest Ltd, discovering that he was able to “easily discover a method of extracting the personal and sensitive data of thousands of customers that had used the site before me.”

Writing in a 1 July blog post, Helme said that – as a customer – his booking reference was clearly shown, and that he was able to “start walking backwards through the booking reference numbers, which are sequential and pull out the data associated with each one”. This vulnerable data included customer names, addresses and booking details.

Helme later found an SQL injection vulnerability on the ID fields used in the site's URL and said that the level of encryption on the website put it in breach of PCI Data Security Standards (DSS). Such coverage in the blog and in various media outlets saw ICO investigate the incident in view of 1998 Data Protection Act.

Yet in its official response, HotelStayUK – which reportedly turned over £3.4 million back in 2011 – rubbished suggestions that it was closing because of porous security, instead saying that few customers were affected.

“HotelHippo has shut down and will not reopen. Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little-used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation. We have also set up a helpline where customers can contact us by calling 08446 606 007,” read the statement.

“Security of our customers' data is of the utmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.”

HotelStayUK didn't respond to our request for extra information on the customers affected, or for the reason behind the company's closure.

Brian Honan, founder and consultant at BH Consulting, told SCMagazineUK.com that this latest incident is an example of how SMBs view security as an after-thought.

“Many small businesses do not appreciate how important information security is to them. Very often I hear small business owners say to me “why should I worry about security? I am too small for hackers to attack me,” said Honan.

“The closure of HotelHippo should serve as a strong lesson for small businesses that no matter what size they are they need to take information security seriously and that building security into their service or product from the beginning is cheaper than trying to remediate the problems later. Given the nature of the vulnerabilities that were reported, HotelHippo could have faced a large bill, not just in rebuilding their website securely, but also the cost to their brand and reputation, potential investigations or fines from the ICO, and finally potential penalties under PCI-DSS.”

Honan added: "Good security is no longer an option for companies, it is now an absolute requirement and failing to address security properly can come back to haunt them later on.”

Meanwhile, Webroot director George Anderson told SC UK that the closure would forever be remembered as an occasion where porous security had a 'catastrophic' effect on business operations. 

"The closing of HotelHippo will go down in history as an example of where weak security defences had a catastrophic impact on a business," he said via email. 

"Any website that collects customer data, especially one that processes transactions, needs to put security at the heart of its operation - otherwise, it risks tarnishing its reputation and subjecting customers to sophisticated cyber-attacks that can result in significant financial losses for those involved. 

“While it's positive to see that the company is now testing their security robustness with independent security specialists, it is an effort that comes too late. Had this approach been taken earlier, with proper security procedures being followed and appropriate security checks conducted, the security flaws present on the Hotel Hippo website could have been fixed.”

Writing on his blog shortly after this news emerged, veteran security researcher Graham Cluley put the closure down to it being “too daunting” for HotelStayUK to fix privacy and security problems, and questioned the measures in place at HotelStayUK's other websites, which include CottageStayUK.com and hotelexclusives.com.

“One hopes that the other websites run by HotelStayUK are being carefully examined for their own security vulnerabilities and privacy holes, and will only return online once the company is confident that it has a handle on the situation,” wrote Cluley.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events